AceHash

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Password and Hash Dump
Description
Acquires the password hash value and logs on to the host.
Example of Presumed Tool Use During an Attack
This tool is used to log on to a remote host using the acquired password hash value if the logon password is unknown.

- Tool Operation Overview

Item Source Host Domain Controller
OS Windows
Belonging to Domain Not required
Rights Standard user
Communication Protocol 445/tcp

- Information Acquired from Log

Standard Settings
  • Source host
    • Execution history (Prefetch)
Additional Settings
  • Source host
    • Execution history (audit policy, Sysmon)
  • Domain Controller
    • Successful NTLM authentication (audit policy)
    • Access to "\\*\C$" (audit policy)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command ([Executable File Name of Tool] -l)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
  • User: Execute as user
2 Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Exit Status: Process return value (0x1)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Path to the executable file (path to the tool)
3 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • SourceImage: Path to the access source process (path to the tool)
  • TargetImage: Path to the access destination process (C:\Windows\system32\lsass.exe)
4 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (path to the tool)
  • CommandLine: Command line of the execution command (cmd.exe)
  • ParentCommandLine: Command line of the parent process ([Executable File Name of Tool] -s [User Name]:[Password]:[Hash] "[Execution Command]")
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Image: Path to the executable file (C:\Windows\System32\cmd.exe)
5 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command ([Executable File Name] -s [User Name]:[Domain Name]:[Hash] "[Execution Command]")
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
  • User: Execute as user
6 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (Domain Controller/port number: 445)
7 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • SourceImage: Path to the access source process (path to the executable file)
  • TargetImage: Path to the access destination process (C:\Windows\system32\lsass.exe)
8 Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0xFFFFFFFF)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (execution path to the tool)
  • Subject > Logon ID: Session ID of the user who executed the process
9 Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
  • Subject > Logon ID: Session ID of the user who executed the process

Prefetch

- Domain Controller

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (Domain Controller/port number: 445)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
2 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
3 Security 4776 Credential Validation The Domain Controller attempted to validate the credentials for an account.
  • Authentication Package: Package used for authentication (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0)
  • Logon Account: Account used (specified account)
  • Source Workstation: Host that requested account validation (source host)
  • Error Code: Execution result (0x0)
4 Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Type of the created object (File)
  • Access Request Information > Access: Requested privileges (SYNCHRONIZE, ReadData or ListDirectory, ReadAttributes)
  • Shared Information > Share Name: Share name (\\*\C$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
5 Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version (NTLM V2)
  • Detailed Authentication Information > Logon Process: Process used for logon (NtLmSsp)
  • Network Information > Source Port: Source port number (high port)
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc.
  • Network Information > Workstation Name: Name of the host that requested the logon (source host name)
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (128)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (NTLM)
  • Network Information > Source Network Address: IP address that requested the logon (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the authentication

- Details: Source Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory (directory of the tool)
  • CommandLine: Command line of the execution command ([Executable File Name of Tool] -l)
  • IntegrityLevel: Privilege level
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (path to the tool)
Security 4688 Process Create A new process has been created.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (path to the tool)
  • Process Information > Token Escalation Type: Presence of privilege escalation (2)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1FFFFF)
  • SourceImage: Path to the access source process (path to the tool)
  • TargetImage: Path to the access destination process (C:\Windows\system32\lsass.exe)
Microsoft-Windows-Sysmon/Operational 8 CreateRemoteThread detected (rule: CreateRemoteThread) CreateRemoteThread detected.
  • NewThreadId: Thread ID of the new thread
  • TargetProcessGuid/TargetProcessId: Process ID of the destination process
  • TargetImage: Path to the destination process (C:\Windows\system32\lsass.exe)
  • UtcTime: Execution date and time (UTC)
  • SourceImage: Path to the source process (path to the tool)
  • SourceProcessGuid/SourceProcessId: Process ID of the source process
3 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x1)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (path to the tool)
  • Subject > Logon ID: Session ID of the user who executed the process
4 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
5 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command ([Executable File Name] -s [User Name]:[Domain Name]:[Hash] "[Execution Command]")
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (path to the executable file)
Security 4688 Process Create A new process has been created.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (path to the tool)
  • Process Information > Token Escalation Type: Presence of privilege escalation (2)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
6 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (path to the tool)
  • CurrentDirectory: Work directory (C:\Windows\system32\)
  • CommandLine: Command line of the execution command (cmd.exe)
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process ([Executable File Name of Tool] -s [User Name]:[Password]:[Hash] "[Execution Command]")
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\cmd.exe)
Security 4688 Process Create A new process has been created.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
7 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1FFFFF)
  • SourceImage: Path to the access source process (path to the executable file)
  • TargetImage: Path to the access destination process (C:\Windows\system32\lsass.exe)
Microsoft-Windows-Sysmon/Operational 8 CreateRemoteThread detected (rule: CreateRemoteThread) CreateRemoteThread detected.
  • NewThreadId: Thread ID of the new thread
  • TargetProcessGuid/TargetProcessId: Process ID of the destination process
  • TargetImage: Path to the destination process (C:\Windows\system32\lsass.exe)
  • UtcTime: Execution date and time (UTC)
  • SourceImage: Path to the source process (path to the executable file)
  • SourceProcessGuid/SourceProcessId: Process ID of the source process
8 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (445)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host)
  • SourceIp: Source IP address (source host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (445)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID (4)
9 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\cmd.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
10 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (execution path to the tool)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0xFFFFFFFF)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (execution path to the tool)
  • Subject > Logon ID: Session ID of the user who executed the process
11 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)

- USN Journal

# File Name Process Attribute
1 [Executable File Name of Tool]-[RANDOM].pf FILE_CREATE archive+not_indexed
[Executable File Name of Tool]-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
[Executable File Name of Tool]-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed
2 [Executable File Name of Tool]-[RANDOM].pf DATA_TRUNCATION archive+not_indexed
[Executable File Name of Tool]-[RANDOM].pf DATA_EXTEND+DATA_TRUNCATION archive+not_indexed
[Executable File Name of Tool]-[RANDOM].pf CLOSE+DATA_EXTEND+DATA_TRUNCATION archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf [Executable File Name of Tool] [Path to Tool] Last Run Time (last execution date and time)

- Details: Domain Controller

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (445)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (445)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID (4)
2 Security 4776 Credential Validation The Domain Controller attempted to validate the credentials for an account.
  • Authentication Package: Package used for authentication (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0)
  • Logon Account: Account used (specified account)
  • Source Workstation: Host that requested account validation (source host)
  • Error Code: Execution result (0x0)
Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version (NTLM V2)
  • Detailed Authentication Information > Logon Process: Process used for logon (NtLmSsp)
  • Network Information > Source Port: Source port number (high port)
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc.
  • Network Information > Workstation Name: Name of the host that requested the logon (source host name)
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (128)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (NTLM)
  • Network Information > Source Network Address: IP address that requested the logon (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the authentication
3 Security 5140 File Sharing A network share object was accessed.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Category of the target (File)
  • Shared Information > Share Path: Shared path
  • Access Request Information > Access: Requested privileges (ReadData or ListDirectory)
  • Shared Information > Share Name: Share name used (\\*\IPC$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5140 File Sharing A network share object was accessed.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Category of the target (File)
  • Shared Information > Share Path: Share path (\??\C:\)
  • Access Request Information > Access: Requested privileges (ReadData or ListDirectory)
  • Shared Information > Share Name: Share name used (\\*\C$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Share path (\??\C:\)
  • Access Request Information > Access: Requested privileges (SYNCHRONIZE, ReadAttributes)
  • Shared Information > Share Name: Share name (\\*\C$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Relative Target Name: Relative target name from the share path (\)
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Share path (\??\C:\)
  • Access Request Information > Access: Requested privileges (SYNCHRONIZE, ReadData or ListDirectory, ReadAttributes)
  • Shared Information > Share Name: Share name (\\*\C$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Relative Target Name: Relative target name from the share path (\)
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
4 Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the authentication