MessageIdVersionQualifiersLevelTaskOpcodeKeywordsRecordIdProviderNameProviderIdLogNameProcessIdThreadIdMachineNameUserIdTimeCreatedActivityIdRelatedActivityIdContainerLogMatchedQueryIdsBookmarkLevelDisplayNameOpcodeDisplayNameTaskDisplayNameKeywordsDisplayNamesProperties
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481618024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 3:04:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481618023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 3:04:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x2F393 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481618022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 3:04:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 6c81f951-f0cc-4926-b943-88ea491fffd5 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481618021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 3:04:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 6c81f951-f0cc-4926-b943-88ea491fffd5 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a784a7ba85fde77bb15c6a1962f1a8e1_a842b0cc-f497-40bf-ae6c-50a25880a08d Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481618020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 3:04:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77ED8C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481618019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 3:04:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x794CF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481618018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 3:04:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x794CF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50697 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481618017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202604n-h1-861357-2.cbci-861357-2.local10/14/2022 3:04:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x794CF0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481618016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202604n-h1-861357-2.cbci-861357-2.local10/14/2022 3:04:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x78EBE6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481618015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202604n-h1-861357-2.cbci-861357-2.local10/14/2022 3:02:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x78EBE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50680 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481618014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202604n-h1-861357-2.cbci-861357-2.local10/14/2022 3:02:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x78EBE6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481618013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202604n-h1-861357-2.cbci-861357-2.local10/14/2022 3:02:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78D4F6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481618012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202604n-h1-861357-2.cbci-861357-2.local10/14/2022 3:01:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78D4F6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481618011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202604n-h1-861357-2.cbci-861357-2.local10/14/2022 3:01:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78D4F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481618010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202604n-h1-861357-2.cbci-861357-2.local10/14/2022 3:01:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481618009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202604n-h1-861357-2.cbci-861357-2.local10/14/2022 3:01:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x78728B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481618008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 3:00:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x78728B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50670 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481618007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 3:00:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x78728B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481618006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 3:00:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7840D2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481618005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7840D2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481618004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7840D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481618003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481618002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77FAF4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481618001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77FAF4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481618000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77FAF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77EC3E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77ED8C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77ED8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77ED2D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77ED2D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77ED2D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77ECE4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77ECE4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77ECE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77EC3E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3916161588-1162867218-2319185590-2152731612 Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77EC3E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E96BE234-F212-454F-B6F6-3B8ADC135080 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:59:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76CF9C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:58:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x776454 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:58:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x776454 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50660 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:58:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x776454 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:58:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7730CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7730CD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7730CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76ED4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76ED4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76ED4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76CE3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76CF9C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76CF9C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76CF43 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76CF43 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76CF43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76CEF9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76CEF9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76CEF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76CE3D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1890706053-1221842549-2289275573-1835075290 Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76CE3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 70B1E285-D675-48D3-B592-7388DA06616D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x758C4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:57:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x763CCB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:56:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x763CCB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50655 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:56:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x763CCB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:56:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75E837 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75E837 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75E837 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75B520 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75B520 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75B520 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x758AF3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x758C4E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x758C4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x758BF5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x758BF5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x758BF5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x758BAB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x758BAB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x758BAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x758AF3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3216335109-1189489553-1346650550-3035000708 Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x758AF3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BFB56105-2B91-46E6-B641-4450846FE6B4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x756292 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x756292 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50650 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x756292 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:54:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x7502F8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:52:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x7502F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50635 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:52:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x7502F8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:52:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73CE14 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:51:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74B379 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:51:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74B379 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:51:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74B379 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:51:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:51:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x743CE1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:50:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x743CE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50627 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:50:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x743CE1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:50:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x740DDC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x740DDC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x740DDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73DB9D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73DB9D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73DB9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73CCCC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73CE14 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73CE14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73CDBB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73CDBB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73CDBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73CD72 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73CD72 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73CD72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73CCCC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2405494548-1321982374-3576004791-422185028 Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73CCCC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F60EF14-D9A6-4ECB-B780-25D544082A19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:49:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x738754 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:48:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x738754 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50612 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:48:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x738754 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:48:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7243A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:47:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x72B322 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:46:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x72B322 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50606 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x72B322 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x728544 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:46:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x728544 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:46:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x728544 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:46:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:46:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x725281 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x725281 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x725281 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x724260 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7243A8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7243A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72434F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72434F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72434F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202820n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x724306 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x724306 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x724306 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x724260 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4244194145-1227061186-1964692885-3358652057 Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x724260 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FCF94361-77C2-4923-95D5-1A7599F630C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:45:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7122FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:44:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x71975C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:44:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x71975C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50587 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:44:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x71975C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:44:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x716434 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x716434 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x716434 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x713098 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x713098 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x713098 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7121AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7122FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7122FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7122A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7122A4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7122A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712257 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712257 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712257 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7121AD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-657302097-1283195254-319954831-1750350000 Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7121AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 272DA251-0176-4C7C-8F1F-1213B0385468 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x70D271 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:42:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x70D271 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50574 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:42:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x70D271 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:42:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA684 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:40:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x701C7E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:40:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x701C7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50564 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:40:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x701C7E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:40:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FE6BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FE6BF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FE6BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FB38E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FB38E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FB38E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA53C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA684 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA684 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA62B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA62B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA62B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA5E2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA5E2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA5E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA53C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1839958320-1138944786-1303030675-1128429387 Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA53C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6DAB8930-EB12-43E2-93AB-AA4D4B774243 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6F5A3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:38:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6F5A3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50552 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:38:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6F5A3A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:38:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6EF7C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:36:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6EF7C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50531 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:36:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6EF7C7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:36:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6E95BE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:34:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6E95BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50518 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:34:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6E95BE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:34:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6E304E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:32:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6E304E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50507 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:32:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6E304E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:32:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D1308 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D8517 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D8517 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D8517 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D50DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D50DF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D50DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D201A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D201A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D201A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D11C0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D1308 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D1308 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D12AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D12AF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D12AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D1266 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D1266 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D1266 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D11C0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-445362669-1336413356-1376103831-3184966985 Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D11C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A8BB1ED-0CAC-4FA8-97AD-055249BDD6BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6CFEE5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6CFEE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50488 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6CFEE5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BFDBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:28:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6C35C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:28:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C3B15 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:28:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C3B15 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:28:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C3B15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:28:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:28:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6C35C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50444 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:28:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6C35C0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:28:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C0A90 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C0A90 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C0A90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BFC76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BFDBD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BFDBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BFD64 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BFD64 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BFD64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BFD1B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BFD1B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BFD1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BFC76 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-342721099-1279730552-2508922539-1516528905 Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BFC76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 146D824B-2378-4C47-AB1E-8B950965645A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B0453 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0D2E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B50EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B50EC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B50EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B3DF1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B3DF1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B3DF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B1A40 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B1A40 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B1A40 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0BE6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0D2E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0D2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0CD5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0CD5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0CD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0C8C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0C8C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0C8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0BE6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4082444734-1120525974-3087667858-234617178 Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0BE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F35529BE-DE96-42C9-9212-0AB85AF9FB0D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B049E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B049A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B049E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50421 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B049E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B049A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50419 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B049A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B0499 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B0499 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50420 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B0499 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B0453 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50418 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B0453 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6AD324 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6AD324 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50412 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6AD324 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:26:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6A001E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A05D6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A24F3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A24F3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A24F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A12E0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A12E0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A12E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0422 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A05D6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A05D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A057D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A057D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A057D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A04C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A04C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A04C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0422 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3189748894-1331359080-3815916456-4148164265 Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0422 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE1FB49E-ED68-4F5A-A843-72E3A9F63FF7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6A0075 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6A0070 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6A0071 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6A0075 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50395 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6A0075 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6A0071 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50394 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6A0071 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6A0070 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50393 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6A0070 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6A001E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50392 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6A001E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x69E4F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x69E4F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50391 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x69E4F5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:24:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C8AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:22:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6931F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:22:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6931F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50371 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:22:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6931F5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:22:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x691751 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x691751 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x691751 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68D58A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68D58A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68D58A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C765 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C8AD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C8AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C854 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C854 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C854 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C80B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C80B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C80B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C765 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1222949386-1076897653-2194061204-3694470487 Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C765 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48E4BA0A-2775-4030-94B7-C682572535DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E556 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:21:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x682394 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x682394 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x682394 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67F227 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67F227 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67F227 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E40F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E556 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E556 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E4FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E4FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E4FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E4B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E4B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E4B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E40F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3896772957-1254292306-1625148554-4097981771 Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E40F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E844095D-FB52-4AC2-8ACC-DD604B3D42F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x674C83 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6751AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677141 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677141 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677141 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x675EB9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x675EB9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x675EB9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6748F2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x675065 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6751AD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6751AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x675154 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x675154 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x675154 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67510B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67510B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67510B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x675065 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3960087959-1303673618-3253932166-3098018459 Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x675065 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EC0A2597-7B12-4DB4-8610-F3C19B02A8B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x674D3F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x674D4C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x674D3D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x674D3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50353 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x674D3F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x674D4C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50354 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x674D4C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x674D3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50352 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x674D3D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x674C83 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50351 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x674C83 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6748F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50350 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6748F2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:20:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665B20 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:19:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66A939 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66A939 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66A939 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6667F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6667F5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6667F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6659D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665B20 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665B20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665AC7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665AC7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665AC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665A7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665A7E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x665A7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6659D9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2528183090-1209146943-1544337073-3076475357 Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6659D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96B10332-1E3F-4812-B1B6-0C5CDD495FB7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65C306 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65C85A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65E780 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65E780 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65E780 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65D568 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65D568 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65D568 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65C70F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65C85A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65C85A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65C801 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65C801 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65C801 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65C7B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65C7B8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65C7B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65C70F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-649822883-1169898977-4184171439-2721948301 Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65C70F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 26BB82A3-3DE1-45BB-AF63-65F98DA23DA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65C35A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65C357 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65C35A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50327 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65C35A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65C357 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50326 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65C357 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65C356 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65C356 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50325 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65C356 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65C306 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50324 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65C306 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65B832 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:18:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x65B832 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50323 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:17:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65B832 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:17:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65498B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:16:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x65498B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50297 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:15:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x65498B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:15:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x64DCE1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:14:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x64DCE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50281 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x64DCE1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63E2FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6423AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6423AB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6423AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63F083 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63F083 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63F083 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63E1B6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63E2FF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63E2FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63E2A6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63E2A6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63E2A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63E25D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63E25D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63E25D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63E1B6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1860790070-1154154159-1394121109-764975246 Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63E1B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EE96736-FEAF-44CA-9599-18538E98982D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:13:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6397D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:12:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6397D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50267 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:11:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6397D3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:11:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628F8F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:11:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628F7A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:11:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628F63 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:11:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628F52 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:11:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x629059 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:11:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628FC6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:11:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x62A25C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628EAE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628F1E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6287E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x629895 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63218B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62911A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6290F1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63218B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63218B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x62E400 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x62E400 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x62E400 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62E164 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62E164 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62E164 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DF37 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DF37 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62DF37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x62A39B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x62A3AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x62A388 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x62A3AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31D36A6D-CA14-99F1-4ABD-FDFF5EE05203} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50241 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x62A39B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31D36A6D-CA14-99F1-4ABD-FDFF5EE05203} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50239 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x62A388 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31D36A6D-CA14-99F1-4ABD-FDFF5EE05203} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50240 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x62A25C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31D36A6D-CA14-99F1-4ABD-FDFF5EE05203} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50238 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x629895 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50238 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x6291D6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6291D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62916E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62916E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62916E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62911A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1623384717-1156557680-3989648282-3580027926 Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62911A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60C2E28D-AB70-44EF-9A33-CDED16E462D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6290F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6290F1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x629059 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50244 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x629059 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x628FC6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50244 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628FC6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x628F8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628F8F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x628F7A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628F7A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x628F63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628F63 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x628F52 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628F52 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x628F1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50237 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628F1E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628ED9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628EEC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628EFC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x628EFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50241 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628EFC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x628EEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50240 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628EEC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x628ED9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50239 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628ED9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x628EAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50238 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x628EAE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:10:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x6287E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50237 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:09:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6287E5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:09:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A74B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:08:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x61B565 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202880n-h1-861357-2.cbci-861357-2.local10/14/2022 2:08:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61C6ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61C6ED Privileges: SeImpersonatePrivilege467200125480-921436483760003481617387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61C6ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x61B565 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50228 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x61B565 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B50C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B50C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61B50C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A603 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A74B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A74B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A6F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A6F2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A6F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A6A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A6A9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A6A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A603 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1351132530-1088268239-881686183-3359923653 Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A603 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5088A572-A7CF-40DD-A776-8D34C55D44C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D16B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:07:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x60511B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x610FE9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x610FE9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x610FE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60DE3C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60DE3C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60DE3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D024 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D16B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D16B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D112 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D112 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D112 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D0C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D0C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D0C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D024 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1872756507-1300420241-1517789340-3569193353 Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60D024 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F9FFF1B-D691-4D82-9CA0-775A8991BDD4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601E83 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6018E4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:06:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x60511B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50204 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x60511B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x603ED5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x603ED5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x603ED5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602B8D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602B8D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602B8D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601D38 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601E83 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601E83 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601E2A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601E2A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601E2A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601DE1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601DE1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601DE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601D38 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1764201471-1288244316-1951155124-2595884889 Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601D38 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 692793FF-0C5C-4CC9-B443-4C74590FBA9A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x601952 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x60194C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x60194E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x601952 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50203 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x601952 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x60194E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50202 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x60194E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x60194C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50201 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x60194C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6018E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-861357-2 Source Network Address: 10.222.0.42 Source Port: 50200 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x6018E4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x5FB23D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:05:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x5FB23D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50190 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:03:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x5FB23D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:03:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9496 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x5E806D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F073D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F073D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F073D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5ED263 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5ED263 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5ED263 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EA1A6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EA1A6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EA1A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E934E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9496 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9496 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E943D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E943D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E943D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E93F4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E93F4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E93F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E934E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2495591753-1164772537-731730593-2566032083 Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E934E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 94BFB549-04B9-456D-A152-9D2BD38AF298 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:02:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x5E806D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50178 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:01:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x5E806D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 2:01:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x5D2D56 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D9A49 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DD759 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DD759 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DD759 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA71E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA71E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DA71E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D9902 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D9A49 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D9A49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D99F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D99F0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D99F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D99A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D99A7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D99A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 2:00:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D9902 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3846366383-1125524072-3256308919-2471294124 Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D9902 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E542E4AF-2268-4316-B754-17C2ACF44C93 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFB62 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D3AA2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D3AA2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D3AA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x5D2D56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50155 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x5D2D56 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D086E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D086E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D086E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFA1A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFB62 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFB62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFB09 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFB09 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFB09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFAC0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFAC0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFAC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFA1A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-879757205-1256155835-1711880368-3712824703 Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFA1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 34700795-6ABB-4ADF-B038-09667F354DDD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x5C8EDF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:59:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x5C8EDF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50140 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:57:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x5C8EDF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:57:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x5B8F46 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:56:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B91C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:56:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BD277 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BD277 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BD277 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B9ED6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B9ED6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B9ED6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B907A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B91C4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B91C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B916B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B916B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B916B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B9122 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B9122 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B9122 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B907A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-591198173-1311810161-4287243178-1294432680 Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B907A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 233CF7DD-A271-4E30-AA23-8AFFA879274D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x5B8F46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50123 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x5B8F46 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:55:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x5AD304 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:54:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A58E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x5AD304 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50101 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x5AD304 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x59760C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A9904 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A9904 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A9904 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A65D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A65D3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A65D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A579C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A58E4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A58E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A588B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A588B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A588B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A5842 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A5842 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A5842 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A579C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1940239798-1075813415-1852373165-3026184971 Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A579C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73A5B5B6-9C27-401F-ADF8-686E0BEB5FB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:53:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5985B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:52:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59C3FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59C3FF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59C3FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59928C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59928C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59928C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x598470 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5985B7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5985B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59855E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59855E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59855E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x598515 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x598515 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x598515 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x598470 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3487645268-1102426858-2031022756-4171904434 Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x598470 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CFE13E54-B2EA-41B5-A4F2-0E79B235AAF8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x59760C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50068 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x59760C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5818B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57201E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58B944 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58B944 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58B944 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x588A2E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x588A2E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x588A2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x585966 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x585966 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x585966 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:51:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5825B6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5825B6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5825B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x581767 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5818B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5818B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58185A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58185A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58185A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x581811 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x581811 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x581811 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x581767 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1012936410-1221951134-2927027-5300033 Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x581767 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C602EDA-7E9E-48D5-B3A9-2C0041DF5000 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E90A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57BEF9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57BEF9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57BEF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x56BACB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x576713 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x576713 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x576713 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x572D4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x572D4E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x572D4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x571ED7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57201E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57201E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x571FC5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x571FC5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x571FC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x571F7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x571F7C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x571F7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x571ED7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3015012987-1337436985-4059177099-3246562927 Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x571ED7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3B5727B-AB39-4FB7-8B20-F2F16F9E82C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:50:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x525BB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x56BACB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50043 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x56BACB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x543944 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x564FCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x564FCE Privileges: SeImpersonatePrivilege467200125480-921436483760003481617064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x564FCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x561283 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x561283 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x561283 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F65C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F65C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F65C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E7C2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E90A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E90A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E8B1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E8B1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E8B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E868 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E868 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E868 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E7C2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2207180239-1312736665-3862157473-723286277 Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55E7C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 838EE5CF-C599-4E3E-A1D8-33E605791C2B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x537A50 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:49:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x534379 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54550F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54CB80 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54CB80 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54CB80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54A4B5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54A4B5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54A4B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5463E0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5463E0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5463E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5453C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54550F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54550F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5454B6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5454B6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5454B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54546D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54546D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54546D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5453C8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-512983087-1239641256-4164385708-3356563306 Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5453C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1E93802F-6CA8-49E3-AC7B-37F86A1711C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5446DC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5446DC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5446DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5437FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x543944 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x543944 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5438EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5438EB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5438EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5438A2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5438A2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5438A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5437FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3034336156-1281782478-3297603241-80793645 Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5437FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B4DC4B9C-72CE-4C66-A96E-8DC42DD0D004 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x541F08 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x541F08 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x541F08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53A6D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53A6D7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53A6D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x538788 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x538788 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x538788 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x537908 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x537A50 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x537A50 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5379F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5379F7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5379F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5379AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5379AE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5379AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x537908 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1698323742-1162584639-1369880723-3219198331 Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x537908 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 653A5D1E-A23F-454B-93B8-A6517B11E1BF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:48:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5366CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:47:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5366CE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:47:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5366CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:47:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:47:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x534379 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 50012 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:47:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x534379 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:47:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51926D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:47:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52FD84 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:47:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52FD84 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:47:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52FD84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:47:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:47:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x529CC2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x529CC2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x529CC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5269CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5269CB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5269CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x525A6D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x525BB4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x525BB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x525B5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x525B5B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x525B5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x525B12 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x525B12 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x525B12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x525A6D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3191614829-1276074303-3603948200-3608564373 Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x525A6D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE3C2D6D-593F-4C0F-A8E2-CFD6955216D7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EE2D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51DE40 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51DE40 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51DE40 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A109 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A109 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A109 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51911F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51926D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51926D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x519212 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x519212 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x519212 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5191C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5191C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5191C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51911F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-465214494-1183284866-1070130365-2898326579 Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51911F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1BBA9C1E-7E82-4687-BDE4-C83F33F4C0AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x506774 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48FCE9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50C1F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50C1F5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50C1F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:46:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x508D85 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x508D85 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x508D85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x4FD9D8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50661A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x506774 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x506774 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50671B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50671B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50671B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5066D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5066D1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5066D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50661A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-995212523-1302117611-798681752-4123447453 Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50661A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B51BCEB-BCEB-4D9C-98EA-9A2F9DD0C6F5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAF89 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x4FD9D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49956 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x4FD9D8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A16DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F48D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F48D5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F48D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F12B9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F12B9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F12B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EE17E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EE2D9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EE2D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EE280 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EE280 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EE280 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EE236 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EE236 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EE236 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EE17E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3643056048-1192777663-2718030265-2823792415 Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EE17E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D9249FB0-57BF-4718-B9D9-01A21FA74FA8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EC4B5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EC4B5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EC4B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:45:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EB8D6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EB8D6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EB8D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E848E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E848E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E848E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E6FFB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E6FFB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E6FFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E67E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E67E7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E67E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:53 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E4097 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E4097 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E4097 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D542B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x4CBC46 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D94F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D94F7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D94F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:44:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D61DC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D61DC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D61DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D52E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D542B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D542B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D53D2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D53D2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D53D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D5389 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D5389 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D5389 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D52E4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-337847597-1287018845-3872328346-1959765182 Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D52E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1423252D-595D-4CB6-9A0A-CFE6BEA4CF74 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D227A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D227A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D227A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C3273 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CBD48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CBD48 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CBD48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x4CBC46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49883 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x4CBC46 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAE42 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAF89 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAF89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAF30 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAF30 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAF30 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAEE7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAEE7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAEE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAE42 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2412148985-1117899237-2895534994-843368695 Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAE42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8FC678F9-C9E5-42A1-925B-96ACF7C84432 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C9593 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C9593 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C9593 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C83EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C83EC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C83EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C3FDE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C3FDE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C3FDE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C312B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C3273 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C3273 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C321A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C321A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C321A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C31D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C31D1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C31D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C312B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2647511648-1074855379-3039239065-883719900 Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C312B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9DCDD260-FDD3-4010-991B-27B5DC7EAC34 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A816C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:43:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x484784 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42E060 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B0C29 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B0C29 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B0C29 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE829 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE829 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AE829 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AD10C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AD10C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AD10C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AC902 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AC902 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AC902 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A9071 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A9071 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A9071 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A8025 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A816C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A816C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A8113 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A8113 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A8113 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A80CA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A80CA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A80CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A8025 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4227100197-1170090043-2610548366-2454346726 Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A8025 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FBF46E25-283B-45BE-8ECE-999BE65B4A92 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A64A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A64A5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A64A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A24C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A24C7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A24C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1584 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A16DF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A16DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1686 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1686 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1686 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A163B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A163B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A163B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1584 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3106010113-1187738277-959576214-3631018534 Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1584 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B921F401-72A5-46CB-96F8-313926F26CD8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496ECE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49B46F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49B46F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49B46F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x497CBC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x497CBC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x497CBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496D04 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496ECE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496ECE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496E75 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496E75 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496E75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496DA9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496DA9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496DA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496D04 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-7308532-1289102655-1040594323-999328996 Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x496D04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 006F84F4-253F-4CD6-9335-063EE48C903B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4942D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4942D5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4942D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x490B27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x490B27 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x490B27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48FB9D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48FCE9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48FCE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48FC90 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48FC90 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48FC90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48FC47 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48FC47 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48FC47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48FB9D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1008496496-1121615512-3399274166-141016099 Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48FB9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C1C6F70-7E98-42DA-B6CE-9CCA23BC6708 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:42:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x484EB1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48925E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48925E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48925E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x485C4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x485C4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x485C4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x484C58 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x484EB1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x484EB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x484E58 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x484E58 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x484E58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x484D8D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x484D8D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x484D8D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x484C58 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1442653827-1143802146-4136523700-2096805104 Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x484C58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 55FD2683-0922-442D-B457-8EF6F0B4FA7C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x484784 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49813 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x484784 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47864B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47CC82 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47CC82 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47CC82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x479491 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x479491 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x479491 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x478503 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47864B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47864B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4785F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4785F2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4785F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4785A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4785A9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4785A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x478503 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3926715167-1289666058-3090976949-1496899965 Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x478503 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EA0CEB1F-BE0A-4CDE-B590-3CB87DE13859 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:41:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33ACF1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:40:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x460706 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414770 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E820 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x467033 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x467033 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x467033 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4614C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4614C4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4614C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x460706 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49757 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x460706 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45F60D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45F60D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45F60D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E6D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E820 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E820 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E7C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E7C7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E7C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E77E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E77E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E77E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E6D9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-875552024-1231115871-161123716-2272414956 Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45E6D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 342FDD18-565F-4961-848D-9A09EC4C7287 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44CD6C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44CD6C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44CD6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42ADC3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42F037 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43AD16 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43AD16 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43AD16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x437F58 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x437F58 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x437F58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x434E4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x434E4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x434E4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432D27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432D27 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432D27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42FDDD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42FDDD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42FDDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42EEF0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42F037 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42F037 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42EFDE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42EFDE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42EFDE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42EF95 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42EF95 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42EF95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42EEF0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1641947406-1207755035-2939149485-1455989826 Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42EEF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61DE210E-E11B-47FC-ADDC-2FAF42A4C856 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:39:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42DE7B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42E060 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42E060 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42E007 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42E007 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42E007 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42DFBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42DFBD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42DFBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42DE7B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4041965100-1288870749-2295654822-2645592695 Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42DE7B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F0EB7E2C-9B5D-4CD2-A6E9-D488778AB09D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42BBAE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42BBAE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42BBAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AC79 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42ADC3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42ADC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AD6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AD6A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AD6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AD21 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AD21 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AD21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AC79 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-681021189-1139413760-1560712333-194383429 Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42AC79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28978F05-1300-43EA-8D94-065D450E960B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x4193DF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:38:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9D84 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41E046 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41E046 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41E046 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41146B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x4193DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49680 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x4193DF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4171CA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4171CA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4171CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4154E0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4154E0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4154E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414629 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414770 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414770 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414717 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414717 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414717 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4146CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4146CE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4146CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414629 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334734983-1243910756-1786971795-1499109861 Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414629 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B293A87-9264-4A24-9306-836AE5995A59 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4121D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4121D0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4121D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x411324 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41146B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41146B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x411412 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x411412 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x411412 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4113C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4113C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4113C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x411324 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1696636715-1287923465-1392950168-3980636810 Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x411324 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65209F2B-2709-4CC4-98BB-06538AB243ED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FBE3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4019EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4071B5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4071B5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4071B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x404CA3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x404CA3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x404CA3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x402A5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x402A5A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x402A5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x401282 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4019EB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4019EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4017E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4017E7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4017E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4015BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4015BF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4015BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x401282 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-283967373-1268016142-1004663723-952348059 Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x401282 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10ECFF8D-640E-4B94-ABF3-E13B9BADC338 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC46A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FCBFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FCBFF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FCBFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FBCF5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FBE3D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FBE3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FBDE4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FBDE4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FBDE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FBD9B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FBD9B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FBD9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FBCF5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-170972581-1169086225-2194933925-4150788494 Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FBCF5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A30D5A5-D711-45AE-A508-D4828E0168F7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:37:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x3C5E9C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F6D65 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F6D65 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F6D65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E1D46 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EFF39 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EFF39 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EFF39 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ED1D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ED1D4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ED1D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC31D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC46A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC46A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC40B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC40B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC40B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC3C2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC3C2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC3C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC31D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-483303371-1299102576-550926270-2303382258 Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC31D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CCE9FCB-BB70-4D6E-BE77-D620F2D24A89 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EAAE8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EAAE8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EAAE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9C3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9D84 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9D84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9D2B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9D2B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9D2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9CE2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9CE2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9CE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9C3D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1370469019-1182119741-145955465-513979946 Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9C3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51AFB29B-B73D-4675-891A-B3082AB6A21E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E7918 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E7918 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E7918 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E2AC2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E2AC2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E2AC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E1BF7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E1D46 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E1D46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E1CED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E1CED Privileges: SeImpersonatePrivilege467200125480-921436483760003481616320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E1CED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E1CA4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E1CA4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E1CA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E1BF7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-319604740-1085346006-1214405538-1935265816 Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E1BF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 130CC804-10D6-40B1-A25B-624818D05973 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5FEC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DD120 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DD120 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DD120 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:36:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D6D82 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D6D82 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D6D82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5EA4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5FEC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5FEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5F93 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5F93 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5F93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5F4A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5F4A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5F4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5EA4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1872009073-1234805353-1220074431-2413684114 Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D5EA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6F949771-A269-4999-BFDB-B84892E5DD8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEAD9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B2AC5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B0D69 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C6965 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C6965 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C6965 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x3C5E9C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49608 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x3C5E9C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C30C3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C30C3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C30C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF88F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF88F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF88F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BE992 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEAD9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEAD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEA80 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEA80 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEA80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEA37 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEA37 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEA37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BE992 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3472619308-1140523200-2241708705-4007255705 Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BE992 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEFBF72C-00C0-43FB-A1C2-9D8599DED9EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BC6CA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BC6CA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BC6CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B869A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B869A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B869A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:35:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B3806 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B3806 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B3806 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B297E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B2AC5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B2AC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B2A6C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B2A6C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B2A6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B2A23 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B2A23 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B2A23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B297E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1619613341-1194663093-4085134757-1566907090 Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B297E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6089569D-1CB5-4735-A535-7EF3D21A655D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B1A93 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B1A93 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B1A93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B0C1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B0D69 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B0D69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B0D10 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B0D10 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B0D10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B0CC7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B0CC7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B0CC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B0C1D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-148897189-1262936271-1710026430-3972959472 Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B0C1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08DFFDA5-E0CF-4B46-BEEE-EC65F08CCEEC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3876C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AB14 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A683F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A683F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A683F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A5BB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A5BB4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A5BB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:34:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x390B14 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398488 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39ABAE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39ABAE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39ABAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39927A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39927A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39927A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3982CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398488 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x398488 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39842F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39842F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39842F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3983E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3983E6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3983E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3982CC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1110118732-1220627615-1391471012-2835117608 Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3982CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 422B114C-4C9F-48C1-A429-F0522876FCA8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BF31 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x392059 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x392059 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x392059 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x390B14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49549 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x390B14 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3908E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3908E7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3908E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D5C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D5C4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D5C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38B8B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38B8B8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38B8B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38A9C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AB14 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AB14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AAB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AAB7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AAB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AA6E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AA6E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AA6E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38A9C5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3763253057-1232666057-1120941957-395162475 Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38A9C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E04EAF41-FDC9-4978-8537-D0426BB38D17 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x388449 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x388449 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x388449 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x387581 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3876C8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3876C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38766F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38766F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38766F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x387626 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x387626 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x387626 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x387581 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2152313620-1310837221-1753438625-774236420 Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x387581 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8049B314-C9E5-4E21-A159-836804E9252E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x382A6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x382A6B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x382A6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36702C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37CD2A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37CD2A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37CD2A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BD95 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BF31 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BF31 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BED4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BED4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BED4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BE6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BE6B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BE6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BD95 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2586687174-1288047157-3476412852-4109412664 Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BD95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9A2DB6C6-0A35-4CC6-B4D9-35CF38A9F0F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BAA8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BAA8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37BAA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36A928 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x376D86 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x376D86 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x376D86 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:33:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x372FD0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x372FD0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x372FD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DBEE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DBEE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36DBEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36B661 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36B661 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36B661 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36A7E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36A928 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36A928 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36A8CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36A8CF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36A8CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36A886 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36A886 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36A886 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36A7E1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3775683577-1125987948-2033927810-1190836099 Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36A7E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E10C5BF9-366C-431D-8246-3B7983B7FA46 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3691D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3691D3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3691D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x367D6C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x367D6C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x367D6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366EE5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36702C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36702C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366FD3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366FD3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366FD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366F8A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366F8A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366F8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366EE5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008044234-1184339940-1674187161-3781974557 Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366EE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEE5E6CA-97E4-4697-9911-CA631D5A6CE1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x34D2F0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3561EA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DA13 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DA13 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DA13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FFB0F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:32:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x356FAE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x356FAE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x356FAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3560A2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3561EA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3561EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x356191 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x356191 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x356191 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x356148 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x356148 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x356148 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3560A2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3020749809-1090377656-830294194-2731497164 Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3560A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B40CFBF1-D7B8-40FD-B248-7D31CC56CFA2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x347322 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34ECA4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34ECA4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34ECA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x34D2F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49441 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x34D2F0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33EABE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3480A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3480A1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3480A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3471DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x347322 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x347322 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3472C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3472C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3472C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x347280 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x347280 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x347280 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3471DB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-999425179-1260946992-553302964-3139246746 Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3471DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3B92049B-8630-4B28-B4BB-FA209A1A1DBB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3459AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3459AD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3459AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34154A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34154A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34154A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33F87A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33F87A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33F87A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33E975 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33EABE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33EABE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33EA63 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33EA63 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33EA63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33EA1A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33EA1A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33EA1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33E975 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3802445866-1314954999-1700202889-1053313064 Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33E975 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E2A4B82A-9EF7-4E60-8909-57652848C83E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BA71 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BA71 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BA71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33ABAA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33ACF1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33ACF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AC98 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AC98 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AC98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AC4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AC4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33AC4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33ABAA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3079550395-1076779083-3354318520-406414911 Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33ABAA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B78E35BB-584B-402E-B8D6-EEC73F663918 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A443 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x322090 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33177D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33177D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33177D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32EDDC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32EDDC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32EDDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32B1BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32B1BC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32B1BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A2FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A443 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A443 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A3EA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A3EA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A3EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A3A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A3A1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A3A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A2FC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2721589728-1246748855-2757788066-436534602 Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A2FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A23829E0-E0B7-4A4F-A281-60A44AFD041A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:31:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2F27AB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3267E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3267E1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3267E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x322D96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x322D96 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x322D96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x321F45 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x322090 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x322090 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x322037 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x322037 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x322037 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x321FEA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x321FEA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x321FEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x321F45 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1644138019-1321941740-2541418639-870038885 Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x321F45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 61FF8E23-3AEC-4ECB-8FF8-7A9765BDDB33 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A147 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31C675 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31C675 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31C675 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31AE59 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31AE59 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31AE59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x319FFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A147 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A147 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A0EE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A0EE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A0EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A0A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A0A5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31A0A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x319FFF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2106905837-1158940686-1800910783-4249640866 Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x319FFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D94D4ED-080E-4514-BFB7-576BA25F4CFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FAC86 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8E50 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F6A48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30B43F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30B43F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30B43F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x307E50 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x307E50 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x307E50 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30672A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30672A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30672A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x302F02 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x302F02 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x302F02 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300B24 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300B24 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300B24 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FF9C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FFB0F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FFB0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FFAB6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FFAB6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FFAB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FFA6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FFA6B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FFA6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FF9C6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-619184610-1232955022-3868364179-1524831680 Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FF9C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24E801E2-668E-497D-938D-92E6C015E35A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:04 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FB9F1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FB9F1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FB9F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:30:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FAB3F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FAC86 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FAC86 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FAC2D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FAC2D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FAC2D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FABE4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FABE4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FABE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FAB3F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3177793866-1119851647-3978520974-3892029620 Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FAB3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BD69494A-947F-42BF-8E69-23EDB4A8FBE7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F9B50 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F9B50 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F9B50 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8D03 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8E50 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8E50 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8DF1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8DF1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8DF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8DA8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8DA8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8DA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8D03 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2307894692-1135629835-1322026664-2544075767 Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8D03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 898FADA4-560B-43B0-A886-CC4EF783A397 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F7795 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F7795 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F7795 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F6878 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F6A48 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F6A48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F6966 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F6966 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F6966 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F691D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F691D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F691D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F6878 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2708409528-1124631853-3525862547-4024697343 Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F6878 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A16F0CB8-852D-4308-9364-28D2FF01E4EF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x2F27AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49332 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2F27AB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E51D6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D1695 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E80C0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E80C0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E80C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E5FB5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E5FB5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E5FB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E5084 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E51D6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E51D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E517D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E517D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E517D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E512A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E512A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E512A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E5084 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2636290295-1155984164-2111737516-3927073128 Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E5084 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9D2298F7-EB24-44E6-AC8E-DE7D686112EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3288 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:29:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DFFBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DFFBD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DFFBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DCFAA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DCFAA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DCFAA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6A48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D40C0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D40C0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D40C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3141 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3288 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3288 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D322F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D322F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D322F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D31E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D31E6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D31E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3141 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3124447072-1154777474-704836797-3337029425 Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3141 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA3B4760-8182-44D4-BDF4-022A3107E7C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D242B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D242B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D242B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D154E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D1695 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D1695 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D163C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D163C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D163C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D15F3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D15F3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D15F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D154E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-691771412-1265559034-1791381435-3244761683 Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D154E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 293B9814-E5FA-4B6E-BB4F-C66A532267C1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C1E88 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CA5F3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CA5F3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CA5F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C3280 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C3280 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C3280 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C1CA8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C1E88 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C1E88 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C1D96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C1D96 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C1D96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C1D4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C1D4D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C1D4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C1CA8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2011917549-1252613964-2594399620-727019297 Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C1CA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77EB6CED-5F4C-4AA9-8465-A39A216F552B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BC9DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BC9DB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BC9DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:28:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B78C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B78C6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B78C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:58 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6824 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6A48 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6A48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6997 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6997 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6997 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B68F6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B68F6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B68F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6824 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1136147592-1280603988-1005527173-2793652192 Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6824 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43B83C88-7754-4C54-8520-EF3BE0BF83A6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2AFF95 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x283E90 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2862C1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2862AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x286295 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x285166 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x285130 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2850EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x284C4D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x284C25 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x284BD9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x28428D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x28422B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x283F4B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x283F20 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x283EE9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x283EC6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x286348 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2862E7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x285236 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x284D45 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x28444F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x283F89 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x2AFF95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49221 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2AFF95 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:33 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12AE07 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1208CA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F946 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16190A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x268052 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29825D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29D14C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29D14C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29D14C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:27:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x299028 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x299028 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x299028 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x298111 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29825D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29825D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x298200 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x298200 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x298200 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2981B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2981B7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2981B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x298111 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-655633674-1159772983-2835563144-3479909469 Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x298111 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 27142D0A-BB37-4520-8842-03A95D346BCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2818E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x257464 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28BC75 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28BC75 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28BC75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A17E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A17E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A17E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x286348 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49223 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x286348 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x2862E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49223 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2862E7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x2862C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2862C1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x2862AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2862AC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x286295 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x286295 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x285236 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49223 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x285236 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x285166 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x285166 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x285130 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x285130 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x2850EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2850EC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x284D45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49223 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x284D45 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x284C4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x284C4D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x284C25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x284C25 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x284BD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x284BD9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x28444F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49223 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x28444F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x28428D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x28428D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x28422B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x28422B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x283F89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49223 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x283F89 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x283F4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x283F4B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x283F20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x283F20 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x283EE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x283EE9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x283EC6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x283EC6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x283E90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49221 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x283E90 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x257020 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x282A4A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x282A4A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x282A4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28166F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2818E7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2818E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28187C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28187C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28187C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28182D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28182D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28182D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28166F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1253928683-1260134469-2529851322-3667338970 Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28166F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4ABD6EEB-2045-4B1C-BA77-CA96DA2697DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B509 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B509 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B509 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2663E7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2760D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2760D5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2760D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:07 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AF8B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D5D6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D5C1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D5A5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21007E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x210069 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x210052 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FFAD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FF98 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FF81 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FEF3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FEDE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FEC7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FE3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FE25 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FE0E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FC5A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FC45 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FC2E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F7E1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F7A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F654 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F63F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F628 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F617 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D6A2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D60F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2100A4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FFD3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FF19 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FE60 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FC84 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F9F1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F903 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F66C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267EF4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x268052 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x268052 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267FF9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267FF9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267FF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267FAB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267FAB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267FAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267EF4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2380063204-1079886968-3681182391-3541605386 Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267EF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8DDCE1E4-C478-405D-B762-6ADB0A9C18D3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267307 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267307 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x267307 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:26:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x2663E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49169 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2663E7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263425 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263425 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263425 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2604FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2604FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2604FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25C5DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25C5DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25C5DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE42 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AF8B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AF8B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AF32 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AF32 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AF32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AEE7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AEE7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AEE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE42 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3951941256-1116550321-317124485-1448979088 Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB8DD688-34B1-428D-85EF-E61290AA5D56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25A076 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25A076 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25A076 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x257309 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x257464 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x257464 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25740B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25740B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25740B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2573C1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2573C1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2573C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x257309 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2261748178-1233249746-188380054-1695970185 Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x257309 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 86CF89D2-E5D2-4981-9673-3A0B89731665 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x257020 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 49162 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x257020 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22DB94 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEED60 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE6505 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24132A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x114AFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10B7B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x248D3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x248D3D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x248D3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D0E3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2421EF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2421EF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2421EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2411DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24132A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24132A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2412D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2412D1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2412D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x241288 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x241288 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x241288 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2411DF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3607253934-1170805540-3476301206-1099044235 Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2411DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D70253AE-1324-45C9-9625-34CF8B158241 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:25:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F5F9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20931F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231E71 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238714 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238714 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238714 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:48 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2239D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21BFE7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x234548 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x234548 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x234548 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2331A0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2331A0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2331A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231AD3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231E71 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231E71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231D81 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231D81 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231D81 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231C71 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231C71 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231C71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231AD3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2773690789-1278509923-3429951377-3665200456 Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231AD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A55329A5-8363-4C34-91E7-70CC488576DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:44 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D516 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22EA75 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22EA75 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22EA75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22DA43 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22DB94 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22DB94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22DB31 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22DB31 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22DB31 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22DAE8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22DAE8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22DAE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22DA43 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-78257314-1130208314-9916309-1382859262 Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22DA43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 04AA1CA2-9C3A-435D-954F-9700FEC16C52 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:40 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x21DD29 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1900AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D738 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2239D7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2239D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21EF44 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21EF44 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21EF44 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21EC2C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21EC2C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21EC2C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21E960 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21E960 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21E960 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21DD29 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65441 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x21D7FE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21D7FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21D738 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D738 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21D6A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65401 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D6A2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21D60F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65401 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D60F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21D5D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D5D6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21D5C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D5C1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21D5A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D5A5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D53D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D562 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D550 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21D562 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65444 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D562 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21D550 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65443 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D550 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21D53D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65442 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D53D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21D516 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65441 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21D516 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21BFA0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21C060 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21C060 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21C060 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21BFE7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3096044241-1295560540-1033769639-1117752332 Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21BFE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B889E2D1-AF5C-4D38-A712-9E3D0C8C9F42 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21BFA0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FEF9F917-54E9-292B-3024-80530C0F6687} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: RestrictedKrbHost/n-h2-861357-2@CBCI-861357-2.LOCAL Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21BFA0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A453 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2184BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2184BC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2184BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205DD1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212A48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212A48 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212A48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:24:01 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x2100A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65401 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x2100A4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x21007E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x21007E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x210069 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x210069 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x210052 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x210052 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FFD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65401 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FFD3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FFAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FFAD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FF98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FF98 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FF81 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FF81 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FF19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65401 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FF19 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FEF3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FEF3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FEDE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FEDE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FEC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FEC7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FE60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65401 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FE60 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FE3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FE3A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FE25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FE25 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FE0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FE0E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FC84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65401 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FC84 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FC5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FC5A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FC45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FC45 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20FC2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20FC2E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20F9F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65401 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F9F1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20F903 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65401 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F903 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20F7E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F7E1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20F7A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F7A3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20F66C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65401 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F66C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20F654 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F654 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20F63F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F63F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20F628 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F628 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20F617 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65400 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F617 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20F5F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65382 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20F5F9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x206CBB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20A4E3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20A4E3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20A4E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x20931F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {76D91D49-EEBA-ADD8-8A0E-870EB7083A66} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65382 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x20931F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x206CA4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x206CA4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x206CA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x206CBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65376 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x206CBB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205C89 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205DD1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205DD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205D78 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205D78 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205D78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205D2F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205D2F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205D2F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205C89 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1099487747-1192999804-3572437917-3333645983 Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x205C89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4188DA03-BB7C-471B-9D13-EFD49F66B3C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x160CA7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20500E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20500E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x20500E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x183709 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1836F4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1836DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18362F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18361A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1835FB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x183258 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18323B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x183224 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1830BC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18309A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x183073 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182C05 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182BF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182BD7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1829F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1829AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182984 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182320 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1822DC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18225C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181D8F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181D65 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181CFC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1811C5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1811A7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181190 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x180E6F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x180E4E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x180E19 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x160D66 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x160D1B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x160CD7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x12074E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x120739 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x120722 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10B01C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10B007 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18372F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x183655 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10AFF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18328B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE637C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x183172 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE6367 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182C3D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE6350 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE633F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182AA1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181E79 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181984 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1811E3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181002 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x180E94 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x161142 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x160FDA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x120785 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:23:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF923 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF923 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF923 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB07F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFEF4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE1AA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196AF0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115B93 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x125099 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A7563 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A7563 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A7563 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19CBFA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19CBFA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19CBFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19828F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19828F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19828F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19697F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196B30 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196B30 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196B30 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196AF0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196AF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196A91 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196A91 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196A91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196A26 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196A26 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x196A26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19697F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3749728983-1244410801-301143221-2008181594 Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19697F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DF8052D7-33B1-4A2C-B514-F3115A6BB277 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:03 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1942F1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1942F1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1942F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:02 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1918BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1918BA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1918BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:22:00 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18FE80 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1900AB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1900AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x190037 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x190037 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x190037 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18FFD5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18FFD5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18FFD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18FE80 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1761479331-1296126466-3043106191-3381461219 Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18FE80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 68FE0AA3-5202-4D41-8F1D-62B5E3008DC9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:59 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18BAB9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18BAB9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18BAB9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:55 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A1B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A453 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A453 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A3A0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A3A0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A3A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A2E3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A2E3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A2E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A1B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2573137786-1151247444-2312519565-554038799 Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A1B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 995EF77A-A454-449E-8D3F-D6890FF60521 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x18372F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18372F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x183709 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x183709 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1836F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1836F4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1836DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1836DB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x183655 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x183655 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x18362F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18362F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x18361A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18361A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1835FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1835FB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x18328B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18328B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x183258 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x183258 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x18323B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18323B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x183224 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x183224 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:47 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x183172 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x183172 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1830BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1830BC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x18309A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18309A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x183073 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x183073 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x182C3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182C3D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x182C05 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182C05 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x182BF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182BF0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x182BD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182BD7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x182AA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182AA1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1829F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1829F7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1829AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1829AD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x182984 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182984 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x182320 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x182320 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1822DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1822DC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x18225C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x18225C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x181E79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181E79 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x181D8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181D8F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x181D65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181D65 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x181CFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181CFC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x181984 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181984 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1811E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1811E3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1811C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1811C5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1811A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1811A7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x181190 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181190 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x181002 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x181002 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:46 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x180E94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x180E94 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x180E6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x180E6F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x180E4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x180E4E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x180E19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x180E19 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:45 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x15F26E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x164038 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x162CA7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16DF15 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x179529 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x179529 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x179529 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:39 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x170F94 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x170F94 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x170F94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1617A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F946 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F946 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16D383 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16DF15 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16DF15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16DB36 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16DB36 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16DB36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16D8AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16D8AF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16D8AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16D383 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2869439687-1230784452-335454878-3889638050 Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16D383 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB082CC7-47C4-495C-9EA2-FE13A22AD7E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x16AE1E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x16AE1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x16AE1E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16AB65 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16AB65 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16AB65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16A77D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16A77D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16A77D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13FE5F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x1641B2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x1641A0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x1641FB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1641FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D392C969-EF6C-8B49-EE30-36E70095F4A7} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65152 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1641B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D392C969-EF6C-8B49-EE30-36E70095F4A7} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65151 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1641A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D392C969-EF6C-8B49-EE30-36E70095F4A7} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65153 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x164038 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D392C969-EF6C-8B49-EE30-36E70095F4A7} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65149 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:29 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x162CA7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65149 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x1620A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1620A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161C96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161C96 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161C96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16190A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-835353792-1130972214-1686996384-829115145 Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16190A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 31CA7CC0-4436-4369-A085-8D64094B6B31 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1617A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1617A8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x161142 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x161142 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x160FDA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x160FDA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x160D66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x160D66 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x160D1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x160D1B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x160CD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x160CD7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x160CA7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65154 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x160CA7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1609D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x16099B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x160981 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1609D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65153 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1609D3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x16099B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65152 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x16099B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x160981 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65151 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x160981 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15F76B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15F76B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15F76B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x15F26E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65149 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x15F26E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15E11B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15E11B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15E11B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15CF7A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D0E3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D0E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D08A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D08A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D08A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D01F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D01F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15D01F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15CF7A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2097872975-1305704132-513362313-2524049314 Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15CF7A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7D0B004F-76C4-4DD3-8949-991EA2EF7196 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:26 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15B2CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15B2CD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15B2CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x156F16 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x156F16 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x156F16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132929 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147179 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147179 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147179 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E886 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13FE5F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13FE5F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13FAFB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13FAFB Privileges: SeImpersonatePrivilege467200125480-921436483760003481614817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13FAFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13F33C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13F33C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13F33C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E886 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1999622206-1203234910-4035582140-3967008150 Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E886 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 772FD03E-E85E-47B7-BC18-8AF096BD73EC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:21:16 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1376B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1376B0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1376B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1337DE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1337DE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1337DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:38 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1327DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132929 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132929 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1328D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1328D0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1328D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132887 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132887 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132887 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1327DD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3169128786-1338470727-1000685970-2226065774 Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1327DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BCE51152-7147-4FC7-9241-A53B6E11AF84 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:37 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x121593 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x121E67 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1206B0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12ECB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12ECB7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12ECB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE61B8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x12089C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12AE07 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12AE07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x128134 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x128134 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x128134 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x126DF3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x126DF3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x126DF3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x126BB1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x126BB1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x126BB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1267C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1267C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1267C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1243FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x125099 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x125099 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124CCC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124CCC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124CCC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1249E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1249E1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1249E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1243FC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2858685255-1236613931-2486285219-2427409556 Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1243FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AA641347-3B2B-49B5-A3B3-31949454AF90 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x121EAE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x121ECE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x121EBE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x121ECE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0A2442EC-FD13-F2C2-A23D-8EB7C18802B1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65005 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x121EBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0A2442EC-FD13-F2C2-A23D-8EB7C18802B1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65004 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x121EAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0A2442EC-FD13-F2C2-A23D-8EB7C18802B1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65003 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x121E67 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0A2442EC-FD13-F2C2-A23D-8EB7C18802B1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65002 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x121593 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65002 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x120989 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x120989 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12091D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12091D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12091D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1208CA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173051516-1171370999-2428926651-1136742680 Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1208CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A508E7C-B3F7-45D1-BB7A-C6901851C143 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x12089C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x12089C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x120785 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x120785 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x12074E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x12074E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x120739 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x120739 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x120722 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:12 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x120722 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1206EA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1206FA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1206FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65004 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1206DA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1206FA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1206EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65005 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1206EA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1206DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65003 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1206DA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1206B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 65002 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x1206B0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10AF6F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x10CBE5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x10C03A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11DFFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11DFFF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11DFFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:06 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10B2F9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10B200 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE6446 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE63B3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF68A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:20:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1169D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1169D9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1169D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1159A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115B93 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115B93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115B17 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115B17 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115B17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115A4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115A4D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x115A4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1159A8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-987967549-1319837407-1915817090-2919935694 Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1159A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3AE3303D-1EDF-4EAB-820C-3172CEAE0AAE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:57 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10B6EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x114AFC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x114AFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:54 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x110B22 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x110B22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x110B22 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1108DC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1108DC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1108DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11063C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11063C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11063C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:52 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x10CCEA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x10CCC5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x10CCD6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10CCEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5E170B81-1771-1D9D-EE55-50B66A5DB41B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64940 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10CCD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5E170B81-1771-1D9D-EE55-50B66A5DB41B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64939 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10CCC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5E170B81-1771-1D9D-EE55-50B66A5DB41B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64938 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10CBE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5E170B81-1771-1D9D-EE55-50B66A5DB41B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64936 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10C03A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64936 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x10BA39 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10BA39 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10B93E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10B93E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10B93E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10B7B2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4048271635-1144259859-1412383909-575849753 Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10B7B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F14BB913-0513-4434-A544-2F5419C55222 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:51 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10B6EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10B6EC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10B2F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64896 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10B2F9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10B200 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64896 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10B200 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10B01C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10B01C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10B007 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10B007 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10AFF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10AFF0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10AFCA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10AFB9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10AFA4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10AFCA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64940 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10AFCA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10AFB9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64939 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10AFB9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10AFA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64938 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10AFA4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x10AF6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64936 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0x10AF6F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:50 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x108E38 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:43 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x108E38 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x108E38 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:43 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x106714 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x106714 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x106714 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:41 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x100CA4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:36 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x100CA4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x100CA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:36 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFDAD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFEF4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFEF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFE9B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFE9B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFE9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFE52 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFE52 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFE52 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFDAD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3941347570-1197651894-3609312154-1090506033 Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFDAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EAEC30F2-B7B6-4762-9ABB-21D731CDFF40 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:35 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFF018 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFF018 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFF018 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE05D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE1AA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE1AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE151 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE151 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE151 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE108 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE108 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE108 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE05D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3529601745-1174117177-1928675487-2950725192 Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFE05D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D26172D1-9B39-45FB-9F40-F572487EE0AF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBF79 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBF79 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBF79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0xE75B5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0xE717A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE60D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF75F1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF75F1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF75F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF6760 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF68A8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF68A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF684F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF684F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF684F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF6806 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF6806 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF6806 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF6760 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3119702073-1266933232-998951331-1942214347 Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF6760 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B9F2E039-DDF0-4B83-A3C9-8A3BCBD6C373 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF4EBC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF4EBC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF4EBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:17 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE64DD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEED60 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEED60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEC1AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEC1AE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEC1AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:11 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEA9EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB07F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB07F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAFC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAFC4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAFC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAF34 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAF34 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEAF34 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEA9EC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2477284449-1287648024-2665338510-319400959 Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEA9EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 93A85C61-F318-4CBF-8ED6-DD9EFFAB0913 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xEA48F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xEA48F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xEA48F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEA26E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEA26E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEA26E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE9EE3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE9EE3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE9EE3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:10 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0xE765A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0xE7637 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0xE764A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE765A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64888 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE764A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64889 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE7637 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64887 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE75B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64885 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:09 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE717A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64885 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0xE65C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-1106 Account Name: N-H2-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE65C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C0050FA-4BCB-D17D-846D-02EC39E5D76E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE6558 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE6558 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE6558 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE6505 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1585255743-1090867546-1363639425-3526205317 Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE6505 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E7D153F-515A-4105-817C-4751859F2DD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE64DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE64DD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE6446 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64896 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE6446 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE63B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64896 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE63B3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE637C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE637C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE6367 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0D24762D-0CF9-C07C-1442-A6E38F907C15} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE6367 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE6350 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE6350 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE633F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE633F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE61B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {42BB5972-0DF8-60A4-C9F7-F2946E554D12} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64891 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE61B8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE6123 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE6113 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE60F8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE6123 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64888 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE6123 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE6113 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64889 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE6113 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE60F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64887 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE60F8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon ID: 0xE60D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {45A79FC7-45D4-7931-4C95-CE4FB17E497B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.42 Source Port: 64885 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: Administrator Account Domain: CBCI-861357-2 Logon ID: 0xE60D3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:19:08 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA41D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDE338 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDE338 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDE338 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB0EE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB0EE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB0EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA2D2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA41D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA41D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA3C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA3C4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA3C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA377 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA377 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA377 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA2D2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3462752952-1282968358-2936794808-1258691040 Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA2D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CE656AB8-8B26-4C78-B8EE-0BAFE019064B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:42 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2BBE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBA017 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCF324 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCF324 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCF324 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:27 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC524 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC524 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC524 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC45F8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC45F8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC45F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC27B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2BBE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2BBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2B08 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2B08 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2B08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2897 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2897 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2897 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC27B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2760166890-1208579755-486997183-1376984566 Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC27B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A484CDEA-76AB-4809-BFFC-061DF61D1352 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:14 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBC816 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBC816 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBC816 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB93F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBA017 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBA017 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB9E96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB9E96 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB9E96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB9B76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB9B76 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB9B76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB93F5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-679226746-1234232758-1913651879-1654660368 Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB93F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 287C2D7A-E5B6-4990-A702-1072101DA062 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:18:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x2F393 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x130c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:16:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:16:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:16:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a842b0cc-f497-40bf-ae6c-50a25880a08d Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:16:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x1504E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B580 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: administrator Account Domain: CBCI-861357-2 Logon ID: 0x6B580 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {41403BB2-5BA7-9EBA-ABB7-2F03F248D4E8} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-861357-2 Logon GUID: {41403BB2-5BA7-9EBA-ABB7-2F03F248D4E8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a4 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:15 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: administrator Account Domain: CBCI-861357-2 Logon ID: 0x5291F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3198211319-1488511317-2373354810-500 Account Name: administrator Account Domain: CBCI-861357-2 Logon ID: 0x5291F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {132A6011-6974-02E5-1FFE-F1ED4C88D432} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-861357-2 Logon GUID: {132A6011-6974-02E5-1FFE-F1ED4C88D432} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:13 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x4D2A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x4D2A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A78AAB7B-3B21-B97A-4645-9584BABB2AEB} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x4D2A1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon GUID: {2F7F2B2A-5636-A137-752B-905BCC01E493} Target Server: Target Server Name: n-h1-861357-2$ Additional Information: n-h1-861357-2$ Process Information: Process ID: 0x10d8 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x4B7ED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x4B7ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DA83669E-2FC7-709A-0250-C91CF12CD276} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x4B7ED Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:15:05 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x40C4E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x40C4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7CC64CC5-5191-19BB-C49F-4F47E8932223} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x40C4E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon GUID: {9F174E0D-4808-2887-E296-D8FCB35699DB} Target Server: Target Server Name: n-h1-861357-2$ Additional Information: n-h1-861357-2$ Process Information: Process ID: 0xf7c Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3DBD0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x3DBD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DA83669E-2FC7-709A-0250-C91CF12CD276} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3DBD0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:56 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
System security access was granted to an account. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x2F393 Account Modified: Account Name: S-1-5-21-3198211319-1488511317-2373354810-500 Access Granted: Access Right: SeServiceLogonRight471700135690-921436483760003481614364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:49 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x2BC4B Logon Type: 4 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:34 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x30ED9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x30ED9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {94F5CF73-3B5C-14E5-C76B-CD557813EE55} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x30ED9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon GUID: {90026AA6-6283-0809-0639-FDB8429E3DB0} Target Server: Target Server Name: n-h1-861357-2$ Additional Information: n-h1-861357-2$ Process Information: Process ID: 0xe80 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:32 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a4 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x2F393 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x2F393 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-861357-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:31 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:31 PMd9b9a250-dfce-0002-8da2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 6c81f951-f0cc-4926-b943-88ea491fffd5 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 6c81f951-f0cc-4926-b943-88ea491fffd5 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a784a7ba85fde77bb15c6a1962f1a8e1_a842b0cc-f497-40bf-ae6c-50a25880a08d Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x2E17A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x2E17A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {99A45214-67DB-4BE5-62E4-A3D63AF96932} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x2E17A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon GUID: {6729638D-EEEA-CD03-1CE0-CBE503F56179} Target Server: Target Server Name: n-h1-861357-2$ Additional Information: n-h1-861357-2$ Process Information: Process ID: 0x940 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:30 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x2BC4B Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x1504E Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x2BC4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb40 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:28 PMd9b9a250-dfce-0000-87a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x1504E Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2472400138240-921436483760003481614342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x1504E Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 10/14/2022 1:14:28 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x1504E User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Process Information: Process ID: 0xb40 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x1504E User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Process Information: Process ID: 0xb40 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:28 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x2485F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x2485F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DA83669E-2FC7-709A-0250-C91CF12CD276} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x2485F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:25 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x99c Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:24 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Domain: Domain Name: N-H1-861357-2 Domain ID: S-1-5-21-3598109843-2908354801-2468433129 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -473900135690-921436483760003481614329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:23 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x1C8F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1C8F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F3F29846-A88D-3193-CB83-4D444A75BEEB} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x1C8F7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x1C250 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2.LOCAL Logon ID: 0x1C250 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F3F29846-A88D-3193-CB83-4D444A75BEEB} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x1C250 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a842b0cc-f497-40bf-ae6c-50a25880a08d Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a842b0cc-f497-40bf-ae6c-50a25880a08d Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481614318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a4 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:22 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x168C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202340n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x1504E Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x1504E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820668n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820668n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0003-67a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202168n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5a4 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a4 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:21 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481614295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x600 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x600 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x600 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x600 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x600 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x600 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x600 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x600 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x3c0 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?10?-?14T13:14:19.661617700Z New Time: ?2022?-?10?-?14T13:14:20.089000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481614277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820892n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xC25E Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481614273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xC20B Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481614272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xC25E Linked Logon ID: 0xC20B Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xC20B Linked Logon ID: 0xC25E Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:19 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481614268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: CBCI-861357-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820896n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:18 PMd9b9a250-dfce-0002-51a2-b9d9cedfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x6507490200135680-921436483760003481614264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820824n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481614262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820824n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2dc New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x298 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4508n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x244 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4508n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a0 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x298 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4508n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x298 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4508n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x244 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4208n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481614250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-861357-2.cbci-861357-2.local10/14/2022 1:14:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x590 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?10?-?14T13:14:03.770383200Z New Time: ?2022?-?10?-?14T13:14:03.763000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4364n-h1-861357-210/14/2022 1:14:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x62089D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8165092n-h1-861357-210/14/2022 1:14:03 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x62089D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8165092n-h1-861357-210/14/2022 1:14:03 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-861357-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8165092n-h1-861357-210/14/2022 1:14:03 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8165092n-h1-861357-210/14/2022 1:14:03 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889614244Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security14321624n-h1-861357-210/14/2022 1:14:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Member: Security ID: S-1-5-21-3198211319-1488511317-2373354810-513 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 1:13:59 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Member: Security ID: S-1-5-21-3198211319-1488511317-2373354810-512 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 1:13:59 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-861357-2.cbci-861357-2.local Additional Information: cifs/n-ad-861357-2.cbci-861357-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.60 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 1:13:59 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-861357-2.cbci-861357-2.local Additional Information: cifs/n-ad-861357-2.cbci-861357-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.60 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 1:13:59 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-861357-2.cbci-861357-2.local Additional Information: cifs/n-ad-861357-2.cbci-861357-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.60 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8165092n-h1-861357-210/14/2022 1:13:59 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-861357-2.cbci-861357-2.local Additional Information: cifs/n-ad-861357-2.cbci-861357-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.60 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 1:13:59 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-861357-2.cbci-861357-2.local Additional Information: cifs/n-ad-861357-2.cbci-861357-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.60 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 1:13:59 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-861357-2.cbci-861357-2.local Additional Information: cifs/n-ad-861357-2.cbci-861357-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.60 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 1:13:58 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-861357-2.cbci-861357-2.local Additional Information: cifs/n-ad-861357-2.cbci-861357-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.60 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 1:13:58 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-861357-2.cbci-861357-2.local Additional Information: LDAP/n-ad-861357-2.cbci-861357-2.local Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 10.222.0.60 Port: 49666 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 1:13:58 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon GUID: {0E9A2A6C-DE0C-5F15-569F-75243436462E} Target Server: Target Server Name: n-ad-861357-2.cbci-861357-2.local Additional Information: ldap/n-ad-861357-2.cbci-861357-2.local Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 1:13:58 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-861357-2.LOCAL Logon GUID: {0E9A2A6C-DE0C-5F15-569F-75243436462E} Target Server: Target Server Name: n-ad-861357-2.cbci-861357-2.local Additional Information: cifs/n-ad-861357-2.cbci-861357-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.60 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 1:13:58 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1210 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 1:13:44 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 1:00:19 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 1:00:19 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:45:19 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:45:19 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Process Information: Process ID: 0x1368 Process Name: C:\Program Files\Git\usr\bin\bash.exe479800138240-921436483760003481614226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:45:03 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:24 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x134991 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:24 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-861357-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:24 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:24 PMacb663c1-dfc9-0004-a666-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x123C4A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:18 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x123C4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:18 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-861357-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:18 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:18 PMacb663c1-dfc9-0000-af66-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x1224F8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:18 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x1224F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:18 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-861357-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:18 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:18 PMacb663c1-dfc9-0003-f166-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x121683 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:42:18 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x121683 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:42:18 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-861357-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:42:18 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:42:18 PMacb663c1-dfc9-0002-6a66-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x11F889 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:16 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x11F889 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:16 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-861357-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:16 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:42:16 PMacb663c1-dfc9-0001-9367-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x90989 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-500 Account Name: Administrator Account Domain: N-H1-861357-2472400138240-921436483760003481614205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:41:35 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x90989 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-500 Account Name: Administrator Account Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 10/14/2022 12:41:35 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:41:35 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x90989 User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-500 Account Name: Administrator Account Domain: N-H1-861357-2 Process Information: Process ID: 0x584 Process Name: C:\Windows\System32\net1.exe479800138240-921436483760003481614203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:41:35 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x90989 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xc10 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:41:22 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:40:57 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:40:57 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a842b0cc-f497-40bf-ae6c-50a25880a08d Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0506100122900-921436483760003481614194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a842b0cc-f497-40bf-ae6c-50a25880a08d Operation: Write persisted key to file. Return Code: 0x0505800122920-921436483760003481614193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016506100122900-921886843722740531214192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Delete key file. Return Code: 0x0505800122920-921436483760003481614191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:39:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x2BC49 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x90989 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:27 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x90989 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:27 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-861357-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:27 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:27 PMacb663c1-dfc9-0000-c964-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x8F584 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x8F584 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:19 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x8F584 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:19 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-861357-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:19 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:19 PMacb663c1-dfc9-0002-4164-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 6c81f951-f0cc-4926-b943-88ea491fffd5 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:19 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 6c81f951-f0cc-4926-b943-88ea491fffd5 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a784a7ba85fde77bb15c6a1962f1a8e1_a842b0cc-f497-40bf-ae6c-50a25880a08d Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:19 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2472400138240-921436483760003481614173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:17 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 10/14/2022 12:38:17 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:17 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Process Information: Process ID: 0xc98 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:17 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Process Information: Process ID: 0xc98 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:17 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Process Information: Process ID: 0xc98 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:17 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:13 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:13 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Process Information: Process ID: 0xc98 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:13 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Member: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:12 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x78CBD Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x264 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:38:12 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Logon ID: 0x78CBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xc98 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:10 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-861357-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xc98 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:10 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:10 PMacb663c1-dfc9-0003-5264-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2472400138240-921436483760003481614159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:05 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 10/14/2022 12:38:05 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x210 User Account Control: Account Enabled 'Password Not Required' - Disabled 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:05 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was enabled. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2472200138240-921436483760003481614157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:05 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was created. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 New Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: Admin Account Domain: N-H1-861357-2 Attributes: SAM Account Name: Admin Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges -472000138240-921436483760003481614156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:05 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Member: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1001 Account Name: - Group: Security ID: S-1-5-21-3598109843-2908354801-2468433129-513 Group Name: None Group Domain: N-H1-861357-2 Additional Information: Privileges: -472800138260-921436483760003481614155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:38:05 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:48 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:48 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:41 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x2BC49 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x50702 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xfa0 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:41 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:41 PMacb663c1-dfc9-0002-1264-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x2BC49 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2472400138240-921436483760003481614149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:41 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x2BC49 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 10/14/2022 12:37:41 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:41 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x2BC49 User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Process Information: Process ID: 0xfa0 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:41 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x2BC49 User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Process Information: Process ID: 0xfa0 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:41 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 2 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Administrator Account Domain: N-H1-861357-2 Failure Information: Failure Reason: The specified account's password has expired. Status: 0xC0000224 Sub Status: 0x0 Process Information: Caller Process ID: 0x264 Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462500125440-921886843722740531214145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:40 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-500 Account Name: Administrator Account Domain: N-H1-861357-2 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\LogonUI.exe479800138240-921436483760003481614144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:40 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9e0 Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:36 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9e0 Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:36 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:36 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:36 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:35 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:35 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x264 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:35 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:34 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a842b0cc-f497-40bf-ae6c-50a25880a08d Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:34 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:34 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a842b0cc-f497-40bf-ae6c-50a25880a08d Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:34 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x2BC49 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:33 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon ID: 0x2BC49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-861357-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:33 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H1-861357-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:33 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-861357-2 Error Code: 0x0477600143360-921436483760003481614129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:33 PMacb663c1-dfc9-0000-fd63-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:31 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:31 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:31 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:31 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:31 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481614119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:30 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x213E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x264 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481614106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4508n-h1-861357-210/14/2022 12:37:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x264 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x264 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:29 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x52c Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x598 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?10?-?14T12:37:28.433074100Z New Time: ?2022?-?10?-?14T12:37:28.050000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188n-h1-861357-210/14/2022 12:37:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:28 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x5d4 Process Information: Process ID: 0x504 Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)490700135680-921436483760003481614082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4212n-h1-861357-210/14/2022 12:37:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-3598109843-2908354801-2468433129-513 Group Name: None Group Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -473700138260-921436483760003481614081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-513 Account Domain: N-H1-861357-2 Old Account Name: None New Account Name: None Additional Information: Privileges: -478100138240-921436483760003481614080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-3598109843-2908354801-2468433129-513 Group Name: None Group Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473700138260-921436483760003481614079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-503 Account Name: DefaultAccount Account Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-503 Account Name: DefaultAccount Account Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-501 Account Name: Guest Account Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-501 Account Name: Guest Account Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-500 Account Name: Administrator Account Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-500 Account Name: Administrator Account Domain: N-H1-861357-2 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -473500138260-921436483760003481614072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -478100138240-921436483760003481614071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-582 Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: -478100138240-921436483760003481614068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -478100138240-921436483760003481614065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-579 Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: -478100138240-921436483760003481614062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-578 Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: -478100138240-921436483760003481614059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-577 Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: -478100138240-921436483760003481614056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-576 Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: -478100138240-921436483760003481614053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-575 Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: -478100138240-921436483760003481614050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: -473500138260-921436483760003481614048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-574 Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: -478100138240-921436483760003481614047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -478100138240-921436483760003481614044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-569 Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: -478100138240-921436483760003481614041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -473500138260-921436483760003481614039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -478100138240-921436483760003481614038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -478100138240-921436483760003481614035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -478100138240-921436483760003481614032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -478100138240-921436483760003481614029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-547 Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: -478100138240-921436483760003481614026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-556 Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: -478100138240-921436483760003481614023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-555 Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: -478100138240-921436483760003481614020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: -473500138260-921436483760003481614018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-552 Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: -478100138240-921436483760003481614017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-551 Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: -478100138240-921436483760003481614014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -473500138260-921436483760003481614012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -478100138240-921436483760003481614011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -478100138240-921436483760003481614008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -478100138240-921436483760003481614005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-550 Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: -478100138240-921436483760003481614002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:26 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:16 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:16 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:15 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:15 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:15 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:15 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:15 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:15 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5A7 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481613992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:15 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB595 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:15 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5A7 Linked Logon ID: 0xB595 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:15 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB595 Linked Logon ID: 0xB5A7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:15 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481613988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816900n-h1-861357-210/14/2022 12:37:15 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:14 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816904n-h1-861357-210/14/2022 12:37:14 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:14 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-861357-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852n-h1-861357-210/14/2022 12:37:14 PMacb663c1-dfc9-0002-c363-b6acc9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x61D4490200135680-921436483760003481613983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816872n-h1-861357-210/14/2022 12:37:14 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816820n-h1-861357-210/14/2022 12:37:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481613981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816820n-h1-861357-210/14/2022 12:37:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x330 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-861357-210/14/2022 12:37:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-861357-210/14/2022 12:37:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-861357-210/14/2022 12:37:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b0 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x244 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-861357-210/14/2022 12:37:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x298 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-861357-210/14/2022 12:37:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x28c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-861357-210/14/2022 12:37:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x244 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188n-h1-861357-210/14/2022 12:37:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188n-h1-861357-210/14/2022 12:37:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x214 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188n-h1-861357-210/14/2022 12:37:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-861357-210/14/2022 12:37:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-861357-210/14/2022 12:37:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481613969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-861357-210/14/2022 12:37:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5c8 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?10?-?14T12:37:00.424767900Z New Time: ?2022?-?10?-?14T12:37:00.406000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4212WIN-5T344G8GM1H10/14/2022 12:37:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889613967Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security12881720WIN-5T344G8GM1H10/14/2022 12:37:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:56 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:56 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H472400138240-921436483760003481613964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:41 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 10/14/2022 12:36:41 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:41 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xb34 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481613962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:41 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-3598109843-2908354801-2468433129-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xb34 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481613961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:41 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x3f4 Process Information: Process ID: 0x494 Process Name: C:\Windows\System32\oobe\Setup.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)490700135680-921436483760003481613960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4476WIN-5T344G8GM1H10/14/2022 12:36:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824892WIN-5T344G8GM1H10/14/2022 12:36:06 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824892WIN-5T344G8GM1H10/14/2022 12:36:06 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481613957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824892WIN-5T344G8GM1H10/14/2022 12:36:05 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x6346B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:05 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824868WIN-5T344G8GM1H10/14/2022 12:36:05 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824868WIN-5T344G8GM1H10/14/2022 12:36:05 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824868WIN-5T344G8GM1H10/14/2022 12:36:05 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824868WIN-5T344G8GM1H10/14/2022 12:36:05 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824868WIN-5T344G8GM1H10/14/2022 12:36:05 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824868WIN-5T344G8GM1H10/14/2022 12:36:05 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:05 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:05 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824892WIN-5T344G8GM1H10/14/2022 12:36:05 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824892WIN-5T344G8GM1H10/14/2022 12:36:05 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481613945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4568WIN-5T344G8GM1H10/14/2022 12:36:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:04 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:04 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824892WIN-5T344G8GM1H10/14/2022 12:36:03 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824892WIN-5T344G8GM1H10/14/2022 12:36:03 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x508 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?10?-?14T12:36:02.820934000Z New Time: ?2022?-?10?-?14T12:36:03.685000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432WIN-5T344G8GM1H10/14/2022 12:36:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:02 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:36:02 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824892WIN-5T344G8GM1H10/14/2022 12:36:02 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824892WIN-5T344G8GM1H10/14/2022 12:36:02 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:55 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:55 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:54 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:54 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:54 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:54 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x57606 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481613929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:54 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x575F4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:54 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x57606 Linked Logon ID: 0x575F4 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:54 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x575F4 Linked Logon ID: 0x57606 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:54 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481613925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:54 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:54 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:54 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:53 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:53 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:53 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824896WIN-5T344G8GM1H10/14/2022 12:35:53 PM7271f27b-dfc9-0005-7ff2-7172c9dfd801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x50080490200135680-921436483760003481613918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824872WIN-5T344G8GM1H10/14/2022 12:35:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824828WIN-5T344G8GM1H10/14/2022 12:35:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481613916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity824828WIN-5T344G8GM1H10/14/2022 12:35:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x338 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b8 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4588WIN-5T344G8GM1H10/14/2022 12:35:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b8 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4588WIN-5T344G8GM1H10/14/2022 12:35:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2dc New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4588WIN-5T344G8GM1H10/14/2022 12:35:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b8 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x254 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4588WIN-5T344G8GM1H10/14/2022 12:35:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a0 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4588WIN-5T344G8GM1H10/14/2022 12:35:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x294 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4588WIN-5T344G8GM1H10/14/2022 12:35:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x25c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x254 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4472WIN-5T344G8GM1H10/14/2022 12:35:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x254 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4472WIN-5T344G8GM1H10/14/2022 12:35:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4476WIN-5T344G8GM1H10/14/2022 12:35:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4240WIN-5T344G8GM1H10/14/2022 12:35:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H10/14/2022 12:35:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H10/14/2022 12:35:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481613903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H10/14/2022 12:35:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4dc Name: C:\Windows\System32\svchost.exe Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z New Time: ?2018?-?01?-?19T09:48:13.152000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity41980WIN-5T344G8GM1H1/19/2018 9:48:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889613901Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security4361144WIN-5T344G8GM1H1/19/2018 9:48:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
User initiated logoff: Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.464700125450-921436483760003481613900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:48:12 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity6643024WIN-5T344G8GM1H1/19/2018 9:48:11 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity6643024WIN-5T344G8GM1H1/19/2018 9:48:11 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664756WIN-5T344G8GM1H1/19/2018 9:48:10 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664756WIN-5T344G8GM1H1/19/2018 9:48:10 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -473900135690-921436483760003481613895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x10 User Account Control: 'Don't Expire Password' - Disabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H472400138240-921436483760003481613893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/19/2018 9:47:34 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: ?? Max. Password Age: Force Logoff: ?? Lockout Threshold: Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: 0 Machine Account Quota: 0 Mixed Domain Mode: 0 Domain Behavior Version: - OEM Information: - Additional Information: Privileges: -473900135690-921436483760003481613891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 User: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xfac Process Name: C:\Windows\System32\Sysprep\sysprep.exe479800138240-921436483760003481613890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:33 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:33 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The audit log was cleared. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Domain Name: WIN-5T344G8GM1H Logon ID: 0x1F0E31102041040462069321768212889613887Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security4361136WIN-5T344G8GM1H1/19/2018 9:47:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLog clearSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]