| 1 | <?xml version="1.0" encoding="utf-8" standalone="yes"?>
|
|---|
| 2 | <Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2016-08-19T04:41:03.694851100Z'/><EventRecordID>2435</EventRecordID><Correlation ActivityID='{DC59F5D7-F9C4-0000-0AF6-59DCC4F9D101}'/><Execution ProcessID='828' ThreadID='908'/><Channel>Security</Channel><Computer>ScarletOhare</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege
|
|---|
| 3 | SeTcbPrivilege
|
|---|
| 4 | SeSecurityPrivilege
|
|---|
| 5 | SeTakeOwnershipPrivilege
|
|---|
| 6 | SeLoadDriverPrivilege
|
|---|
| 7 | SeBackupPrivilege
|
|---|
| 8 | SeRestorePrivilege
|
|---|
| 9 | SeDebugPrivilege
|
|---|
| 10 | SeAuditPrivilege
|
|---|
| 11 | SeSystemEnvironmentPrivilege
|
|---|
| 12 | SeImpersonatePrivilege
|
|---|
| 13 | SeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.
|
|---|
| 14 |
|
|---|
| 15 | Subject:
|
|---|
| 16 | Security ID: S-1-5-18
|
|---|
| 17 | Account Name: SYSTEM
|
|---|
| 18 | Account Domain: NT AUTHORITY
|
|---|
| 19 | Logon ID: 0x3E7
|
|---|
| 20 |
|
|---|
| 21 | Privileges: SeAssignPrimaryTokenPrivilege
|
|---|
| 22 | SeTcbPrivilege
|
|---|
| 23 | SeSecurityPrivilege
|
|---|
| 24 | SeTakeOwnershipPrivilege
|
|---|
| 25 | SeLoadDriverPrivilege
|
|---|
| 26 | SeBackupPrivilege
|
|---|
| 27 | SeRestorePrivilege
|
|---|
| 28 | SeDebugPrivilege
|
|---|
| 29 | SeAuditPrivilege
|
|---|
| 30 | SeSystemEnvironmentPrivilege
|
|---|
| 31 | SeImpersonatePrivilege
|
|---|
| 32 | SeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2016-08-19T04:41:03.694843400Z'/><EventRecordID>2434</EventRecordID><Correlation ActivityID='{DC59F5D7-F9C4-0000-0AF6-59DCC4F9D101}'/><Execution ProcessID='828' ThreadID='908'/><Channel>Security</Channel><Computer>ScarletOhare</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SCARLETOHARE$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'></Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x334</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData><RenderingInfo Culture='en-US'><Message>An account was successfully logged on.
|
|---|
| 33 |
|
|---|
| 34 | Subject:
|
|---|
| 35 | Security ID: S-1-5-18
|
|---|
| 36 | Account Name: SCARLETOHARE$
|
|---|
| 37 | Account Domain: WORKGROUP
|
|---|
| 38 | Logon ID: 0x3E7
|
|---|
| 39 |
|
|---|
| 40 | Logon Information:
|
|---|
| 41 | Logon Type: 5
|
|---|
| 42 | Restricted Admin Mode: -
|
|---|
| 43 | Virtual Account: No
|
|---|
| 44 | Elevated Token: Yes
|
|---|
| 45 |
|
|---|
| 46 | Impersonation Level: Impersonation
|
|---|
| 47 |
|
|---|
| 48 | New Logon:
|
|---|
| 49 | Security ID: S-1-5-18
|
|---|
| 50 | Account Name: SYSTEM
|
|---|
| 51 | Account Domain: NT AUTHORITY
|
|---|
| 52 | Logon ID: 0x3E7
|
|---|
| 53 | Linked Logon ID: 0x0
|
|---|
| 54 | Network Account Name: -
|
|---|
| 55 | Network Account Domain: -
|
|---|
| 56 | Logon GUID: {00000000-0000-0000-0000-000000000000}
|
|---|
| 57 |
|
|---|
| 58 | Process Information:
|
|---|
| 59 | Process ID: 0x334
|
|---|
| 60 | Process Name: C:\Windows\System32\services.exe
|
|---|
| 61 |
|
|---|
| 62 | Network Information:
|
|---|
| 63 | Workstation Name:
|
|---|
| 64 | Source Network Address: -
|
|---|
| 65 | Source Port: -
|
|---|
| 66 |
|
|---|
| 67 | Detailed Authentication Information:
|
|---|
| 68 | Logon Process: Advapi
|
|---|
| 69 | Authentication Package: Negotiate
|
|---|
| 70 | Transited Services: -
|
|---|
| 71 | Package Name (NTLM only): -
|
|---|
| 72 | Key Length: 0
|
|---|
| 73 |
|
|---|
| 74 | This event is generated when a logon session is created. It is generated on the computer that was accessed.
|
|---|
| 75 |
|
|---|
| 76 | The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
|
|---|
| 77 |
|
|---|
| 78 | The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
|
|---|
| 79 |
|
|---|
| 80 | The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
|
|---|
| 81 |
|
|---|
| 82 | The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
|
|---|
| 83 |
|
|---|
| 84 | The impersonation level field indicates the extent to which a process in the logon session can impersonate.
|
|---|
| 85 |
|
|---|
| 86 | The authentication information fields provide detailed information about this specific logon request.
|
|---|
| 87 | - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
|
|---|
| 88 | - Transited services indicate which intermediate services have participated in this logon request.
|
|---|
| 89 | - Package name indicates which sub-protocol was used among the NTLM protocols.
|
|---|
| 90 | - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.</Message><Level>Information</Level><Task>Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event></Events>
|
|---|