Find-GPOPasswords.ps1

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Password and Hash Dump
Description
Acquires passwords written in a group policy file.
Example of Presumed Tool Use During an Attack
This tool attempts to compromise other hosts using acquired passwords.

- Tool Operation Overview

Item Source host Domain Controller
OS Windows Windows Server
Belonging to Domain Required
Rights Administrator
Communication Protocol 88/tcp, 389/tcp, 445/tcp, 9389/tcp
Service Workstation Active Directory Domain Services

- Information Acquired from Log

Standard Settings
  • Source host
    • Execution history (Prefetch)
    • Content of the script executed (Windows 10 only. They are recorded in Microsoft-Windows-PowerShell/Operational and C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)
Additional Settings
  • Source host
    • Execution history (audit policy, Sysmon)
    • Output of a file in which a password was dumped (GPPDataReport-[Domain Name]-[Date and Time].csv) (audit policy, Sysmon, USN Journal)
    • Content of the script executed (If Windows Management Framework 5.0 is installed. They are recorded in Microsoft-Windows-PowerShell/Operational and C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt.)
  • Domain Controller
    • History of access to "\\*\SYSVOL" (audit policy)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

USN journal

# File Name Process
1 ConsoleHost_history.txt CLOSE+DATA_EXTEND+FILE_CREATE
2 [Domain Controller Name].[Domain Name].sch CLOSE+DATA_EXTEND+FILE_CREATE
3 GPPDataReport-[Domain Name]-[Date and Time].csv CLOSE+DATA_EXTEND+FILE_CREATE

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe")
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • User: Execute as user
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (Domain Controller ports: 88, 389, 445, and 9389. A similar communication occurs frequently.)
3 Microsoft-Windows-PowerShell/Operational 4104 Execute a Remote Command. Creating Scriptblock text.
  • Message: The content of the script executed. The content of the executed PowerShell script is recorded as is.
4 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Name: Target file name (C:\temp\Logs\GPPDataReport-[Domain Name]-[Date and Time].csv)
5 Security 4663 File System An attempt was made to access an object.
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\SchCache\[Domain Controller Name].[Domain Name].sch)

UserAssist

# Registry Data
1 \REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr Date and time of the initial execution, Total number of executions

MFT

# Path Header Flag Validity
1 [Drive Name]:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt FILE ALLOCATED
2 [Drive Name]:\Users\[User Name]\AppData\Local\Microsoft\Windows\SchCache\[Domain Controller Name].[Domain Name].sch FILE ALLOCATED
3 [Drive Name]:\temp\Logs\GPPDataReport-[Domain Name]-[Date and Time].csv FILE ALLOCATED

Prefetch

Registry entry

# Path Value
1 HKEY_USERS\[User SID]\SOFTWARE\Microsoft\ADs\Providers\LDAP\CN=Aggregate,CN=Schema,CN=Configuration,DC=[DN]\File %LOCALAPPDATA%\Microsoft\Windows\SchCache\[Domain Controller Name].[Domain Name].sch

- Domain Controller

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (Domain Controller ports: 88, 389, 445, and 9389. A similar communication occurs frequently.)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number
2 Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Share Path: Path to the share (\??\C:\Windows\SYSVOL\sysvol)
  • Access Request Information > Access: Requested privileges (SYNCHRONIZE, ReadData or ListDirectory, ReadAttributes)
  • Shared Information > Share Name: Share name (\\*\SYSVOL)
  • Network Information > Source Port: Source port number (high port)
  • Shared Information > Relative Target Name: Relative target name from the share path ([Domain Name]\Policies and files under the directory)
  • Network Information > Source Address: Source IP address (source host)

- Details: Source Host

- USN Journal

# File Name Process Attribute
1 POWERSHELL.EXE-[RANDOM].pf DATA_TRUNCATION archive+not_indexed
POWERSHELL.EXE-[RANDOM].pf DATA_EXTEND+DATA_TRUNCATION archive+not_indexed
POWERSHELL.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+DATA_TRUNCATION archive+not_indexed
2 PSReadline FILE_CREATE directory
PSReadline CLOSE+FILE_CREATE directory
3 ConsoleHost_history.txt FILE_CREATE archive
ConsoleHost_history.txt DATA_EXTEND+FILE_CREATE archive
ConsoleHost_history.txt CLOSE+DATA_EXTEND+FILE_CREATE archive
4 SchCache FILE_CREATE directory
SchCache CLOSE+FILE_CREATE directory
5 [Domain Controller Name].[Domain Name].sch FILE_CREATE archive
[Domain Controller Name].[Domain Name].sch DATA_EXTEND+FILE_CREATE archive
[Domain Controller Name].[Domain Name].sch CLOSE+DATA_EXTEND+FILE_CREATE archive
6 GPPDataReport-[Domain Name]-[Date and Time].csv FILE_CREATE archive
GPPDataReport-[Domain Name]-[Date and Time].csv DATA_EXTEND+FILE_CREATE archive
GPPDataReport-[Domain Name]-[Date and Time].csv CLOSE+DATA_EXTEND+FILE_CREATE archive

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\explorer.exe)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe")
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process (C:\Windows\Explorer.EXE)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Users\testuser\AppData\Roaming\Microsoft\Windows\Recent)
  • CreationUtcTime: File creation date and time (UTC)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\Explorer.EXE)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (Binary Data)
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr)
3 Microsoft-Windows-PowerShell/Operational 40961 PowerShell Console Startup The PowerShell console is starting up.
Microsoft-Windows-PowerShell/Operational 53504 PowerShell Named Pipe IPC Windows PowerShell has started an IPC listening thread on process [Process ID] of the [Domain].
Microsoft-Windows-PowerShell/Operational 40962 PowerShell Console Startup PowerShell console is ready for user input
4 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
5 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including DELETE, SYNCHRONIZE, and ReadAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (SYNCHRONIZE, WriteData or AddFile)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (SYNCHRONIZE, WriteData or AddFile)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
6 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
7 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
8 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4660 File System An object was deleted.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Audit Success: Success or failure (access successful)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name
  • Access Request Information > Access: Requested privilege
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
9 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\testuser\AppData\Local\Temp\[RANDOM].psm1)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4660 File System An object was deleted.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Audit Success: Success or failure (access successful)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name
  • Access Request Information > Access: Requested privilege
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
10 Security 4673 Sensitive Privilege Use A privileged service was called.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process > Process ID: ID of the process that used the privilege
  • Subject > Logon ID: Session ID of the user who executed the process
  • Service Request Information > Privilege: Privilege used (SeCreateGlobalPrivilege)
  • Process > Process Name: Process that used the privilege (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL, reference of key values, enumeration of sub keys, notice on key changes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: File type (Key)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4673 Sensitive Privilege Use A privileged service was called.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process > Process ID: ID of the process that used the privilege
  • Subject > Logon ID: Session ID of the user who executed the process
  • Service Request Information > Privilege: Privilege used (SeCreateGlobalPrivilege)
  • Process > Process Name: Process that used the privilege (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
11 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\Explorer.EXE)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\Explorer.EXE)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (QWORD value)
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\Explorer.EXE)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps)
Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Users\testuser\AppData\Local\Temp\[RANDOM].ps1)
  • CreationUtcTime: File creation date and time (UTC)
Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Users\testuser\AppData\Local\Temp\[RANDOM].psm1)
  • CreationUtcTime: File creation date and time (UTC)
12 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
13 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Target category
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
14 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
15 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
16 Microsoft-Windows-PowerShell/Operational 4104 Execute a Remote Command. Creating Scriptblock text.
  • Message: The content of the script executed. The content of the executed PowerShell script is recorded as is.
17 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\lsass.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1000)
  • SourceImage: Path to the access source process (C:\Windows\system32\lsass.exe)
  • TargetImage: Path to the access destination process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
18 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (389)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (389)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
19 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1000)
  • SourceImage: Path to the access source process (C:\Windows\system32\lsass.exe)
  • TargetImage: Path to the access destination process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\lsass.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
20 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (9389)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (9389)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
21 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (88)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (88)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
22 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (9389)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (9389)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
23 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (9389)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (9389)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
24 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (445)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (System)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (445)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
25 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (88)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (88)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
26 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (389)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (389)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
27 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (389)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (389)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
28 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (88)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (88)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
29 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (389)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (389)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
30 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (389)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (389)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Application Information > Process ID: Process ID
31 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1000, 0x1478)
  • SourceImage: Path to the access source process (C:\Windows\system32\lsass.exe)
  • TargetImage: Path to the access destination process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\lsass.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
32 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Users\testuser\AppData\Local\Microsoft\Windows\SchCache)
  • CreationUtcTime: File creation date and time (UTC)
Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\SchCache\[Domain Controller Name].[Domain Name].sch)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\SchCache\[Domain Controller Name].[Domain Name].sch)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: File type
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\SchCache\[Domain Controller Name].[Domain Name].sch)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
33 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\temp\Logs\GPPDataReport-[Domain Name]-[Date and Time].csv)
  • CreationUtcTime: File creation date and time (UTC)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\temp\Logs\GPPDataReport-[Domain Name]-[Date and Time].csv)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: File type
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\temp\Logs\GPPDataReport-[Domain Name]-[Date and Time].csv)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
34 Microsoft-Windows-Sysmon/Operational 8 CreateRemoteThread detected (rule: CreateRemoteThread) CreateRemoteThread detected.
  • NewThreadId: Thread ID of the new thread (23500)
  • TargetProcessGuid/TargetProcessId: Process ID of the destination process
  • TargetImage: Path to the destination process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • UtcTime: Execution date and time (UTC)
  • SourceImage: Path to the source process (C:\Windows\System32\csrss.exe)
  • SourceProcessGuid/SourceProcessId: Process ID of the source process
35 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Users\[User Name]\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\[RANDOM].log)
  • CreationUtcTime: File creation date and time (UTC)
Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created. (File created)
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
36 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0xc000013a)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Logon ID: Session ID of the user who executed the process

- UserAssist

# Registry entry Information That Can Be Confirmed
1 \REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr Date and time of the initial execution, Total number of executions

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf FILE ALLOCATED
2 [Drive Name]:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline FOLDER ALLOCATED
[Drive Name]:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt FILE ALLOCATED
3 [Drive Name]:\Users\[User Name]\AppData\Local\Microsoft\Windows\SchCache FOLDER ALLOCATED
[Drive Name]:\Users\[User Name]\AppData\Local\Microsoft\Windows\SchCache\[Domain Controller Name].[Domain Name].sch FILE ALLOCATED
4 [Drive Name]:\temp\Logs\GPPDataReport-[Domain Name]-[Date and Time].csv FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf POWERSHELL.EXE C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE Last Run Time (last execution date and time)

- Registry Entry

# Path Type Value
1 HKEY_USERS\[User SID]\SOFTWARE\Microsoft\ADs\Providers\LDAP\CN=Aggregate,CN=Schema,CN=Configuration,DC=[DN]\File String %LOCALAPPDATA%\Microsoft\Windows\SchCache\[Domain Controller Name].[Domain Name].sch
HKEY_USERS\[User SID]\SOFTWARE\Microsoft\ADs\Providers\LDAP\CN=Aggregate,CN=Schema,CN=Configuration,DC=[DN]\Time String [Expiration date and time]
2 HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe String [RANDOM]
HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe String [RANDOM]

- Details: Domain Controller

- Event Log

# Event Log Event ID Task Category Event Details
1 Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (389)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (389)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (88)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (88)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
4 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (9389)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (9389)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\adws\microsoft.activedirectory.webservices.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
5 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (9389)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (9389)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\adws\microsoft.activedirectory.webservices.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
6 Security 4769 A Kerberos service ticket was requested A Kerberos service ticket was requested.
  • Network Information > Client Address: Source IP address that requested the ticket (source host IP address)
  • Account Information > Account Domain: Domain of the account
  • Account Information > Account Name: Name of the account from which the ticket was requested
  • Additional Information > Ticket Option: Ticket settings (0x60810010)
  • Additional Information > Error Code: Ticket processing result (0x0)
  • Service Information > Service Name: Service name of the ticket (krbtgt)
  • Account Information > Logon GUID: Session ID of the logon
  • Service Information > Service ID: SID of the service
  • Network Information > Client Port: Source port number of the ticket request (high port)
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
7 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (9389)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (9389)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\adws\microsoft.activedirectory.webservices.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
8 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (445)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (445)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\adws\microsoft.activedirectory.webservices.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
9 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (445)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (445)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\adws\microsoft.activedirectory.webservices.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
10 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (88)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (88)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\adws\microsoft.activedirectory.webservices.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
11 Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
12 Security 4769 A Kerberos service ticket was requested A Kerberos service ticket was requested.
  • Network Information > Client Address: Source IP address that requested the ticket (source host)
  • Account Information > Account Domain: Domain of the account
  • Account Information > Account Name: Name of the account from which the ticket was requested
  • Additional Information > Ticket Option: Ticket settings (0x60810010)
  • Additional Information > Error Code: Ticket processing result (0x0)
  • Service Information > Service Name: Service name of the ticket ([Host Name]$)
  • Account Information > Logon GUID: Session ID of the logon
  • Service Information > Service ID: SID of the service
  • Network Information > Client Port: Source port number of the ticket request (high port)
Security 5140 File Sharing A network share object was accessed.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Category of the target (File)
  • Shared Information > Share Path: Path to the share (\??\C:\Windows\SYSVOL\sysvol)
  • Access Request Information > Access: Requested privileges (ReadData or ListDirectory)
  • Shared Information > Share Name: Share name used (\\*\SYSVOL)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Path to the share (\??\C:\Windows\SYSVOL\sysvol)
  • Access Request Information > Access: Requested privileges (SYNCHRONIZE, ReadData or ListDirectory, ReadAttributes)
  • Shared Information > Share Name: Share name (\\*\SYSVOL)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Relative Target Name: Relative target name from the share path ([Domain Name]\Policies)
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
13 Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Path to the share (\??\C:\Windows\SYSVOL\sysvol)
  • Access Request Information > Access: Requested privileges (SYNCHRONIZE, ReadData or ListDirectory, ReadAttributes)
  • Shared Information > Share Name: Share name (\\*\SYSVOL)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Relative Target Name: Relative target name from the share path ([Domain Name]\Policies)
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Shared path
  • Access Request Information > Access: Requested privileges (READ_CONTROL, SYNCHRONIZE, ReadData or ListDirectory, WriteData or AddFile, AppendData or AddSubdirectory or CreatePipeInstance, ReadEA, WriteEA, ReadAttributes, WriteAttributes)
  • Shared Information > Share Name: Share name (\\*\IPC$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Relative Target Name: Relative target name from the share path (lsarpc)
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Path to the share (\??\C:\Windows\SYSVOL\sysvol)
  • Access Request Information > Access: Requested privilege (ReadAttributes)
  • Shared Information > Share Name: Share name (\\*\SYSVOL)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Relative Target Name: Relative target name from the share path ([Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups\Groups.xml)
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4769 A Kerberos service ticket was requested A Kerberos service ticket was requested.
  • Network Information > Client Address: Source IP address that requested the ticket (source host)
  • Account Information > Account Domain: Domain of the account
  • Account Information > Account Name: Name of the account from which the ticket was requested
  • Additional Information > Ticket Option: Ticket settings (0x40810000)
  • Additional Information > Error Code: Ticket processing result (0x0)
  • Service Information > Service Name: Service name of the ticket ([Host Name]$)
  • Account Information > Logon GUID: Session ID of the logon
  • Service Information > Service ID: SID of the service
  • Network Information > Client Port: Source port number of the ticket request (high port)
Security 5140 File Sharing A network share object was accessed.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Category of the target (File)
  • Shared Information > Share Path: Shared path
  • Access Request Information > Access: Requested privileges (ReadData or ListDirectory)
  • Shared Information > Share Name: Share name used (\\*\IPC$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
14 Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the authentication
Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the authentication
15 Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
16 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (389)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (389)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
17 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (88)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (88)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
18 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (389)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (389)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
19 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (389)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (389)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
20 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
21 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (389)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (389)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
22 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (9389)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (9389)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\adws\microsoft.activedirectory.webservices.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
23 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (9389)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (9389)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\adws\microsoft.activedirectory.webservices.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID

- Packet Capture

# Process Source Host Source Port Number Destination Host Destination Port Number Protocol/Application
1 Session Setup Request [Source Host] [High Port] [Domain Controller] 445 SMB2
Session Setup Response [Domain Controller] 445 [Source Host] [High Port] SMB2
2 Tree Connect Request Tree: \\[Domain Controller's NetBIOS Name]\sysvol [Source Host] [High Port] [Domain Controller] 445 SMB2
Tree Connect Response [Domain Controller] 445 [Source Host] [High Port] SMB2
3 Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO [Source Host] [High Port] [Domain Controller] 445 SMB2
Ioctl Response FSCTL_VALIDATE_NEGOTIATE_INFO [Domain Controller] 445 [Source Host] [High Port] SMB2
4 Create Request File: [Domain Name]\Policies [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies [Domain Controller] 445 [Source Host] [High Port] SMB2
5 GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO File: [Domain Name]\Policies [Source Host] [High Port] [Domain Controller] 445 SMB2
GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
6 Close Request File: [Domain Name]\Policies [Source Host] [High Port] [Domain Controller] 445 SMB2
Close Response [Domain Controller] 445 [Source Host] [High Port] SMB2
7 Create Request File: [Domain Name]\Policies;GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies;GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
8 Find Request File: [Domain Name]\Policies SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Request File: [Domain Name]\Policies SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Source Host] [High Port] [Domain Controller] 445 SMB2
Find Response SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Response, Error: STATUS_NO_MORE_FILES SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Domain Controller] 445 [Source Host] [High Port] SMB2
9 Create Request File: [Domain Name]\Policies\{[GUID]} [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]} [Domain Controller] 445 [Source Host] [High Port] SMB2
10 GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO File: [Domain Name]\Policies\{[GUID]} [Source Host] [High Port] [Domain Controller] 445 SMB2
GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
11 Find Request File: [Domain Name]\Policies\{[GUID]} SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Request File: [Domain Name]\Policies\{[GUID]} SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Source Host] [High Port] [Domain Controller] 445 SMB2
Find Response SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Response, Error: STATUS_NO_MORE_FILES SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Domain Controller] 445 [Source Host] [High Port] SMB2
12 Create Request File: [Domain Name]\Policies\{[GUID]};GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]};GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
13 Close Request File: [Domain Name]\Policies\{[GUID]} [Source Host] [High Port] [Domain Controller] 445 SMB2
Close Response [Domain Controller] 445 [Source Host] [High Port] SMB2
14 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine [Domain Controller] 445 [Source Host] [High Port] SMB2
15 GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO File: [Domain Name]\Policies\{[GUID]}\Machine [Source Host] [High Port] [Domain Controller] 445 SMB2
GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
16 Find Request File: [Domain Name]\Policies\{[GUID]}\Machine SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Request File: [Domain Name]\Policies\{[GUID]}\Machine SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Source Host] [High Port] [Domain Controller] 445 SMB2
Find Response SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Response, Error: STATUS_NO_MORE_FILES SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Domain Controller] 445 [Source Host] [High Port] SMB2
17 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine;GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine;GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
18 Close Request File: [Domain Name]\Policies\{[GUID]}\Machine [Source Host] [High Port] [Domain Controller] 445 SMB2
Close Response [Domain Controller] 445 [Source Host] [High Port] SMB2
19 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft [Domain Controller] 445 [Source Host] [High Port] SMB2
20 GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft [Source Host] [High Port] [Domain Controller] 445 SMB2
GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
21 Find Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Source Host] [High Port] [Domain Controller] 445 SMB2
Find Response SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Response, Error: STATUS_NO_MORE_FILES SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Domain Controller] 445 [Source Host] [High Port] SMB2
22 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft;GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft;GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
23 Close Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft [Source Host] [High Port] [Domain Controller] 445 SMB2
Close Response [Domain Controller] 445 [Source Host] [High Port] SMB2
24 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT [Domain Controller] 445 [Source Host] [High Port] SMB2
25 GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT [Source Host] [High Port] [Domain Controller] 445 SMB2
GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
26 Find Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Source Host] [High Port] [Domain Controller] 445 SMB2
Find Response SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Response, Error: STATUS_NO_MORE_FILES SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Domain Controller] 445 [Source Host] [High Port] SMB2
27 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT;GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT;GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
28 Close Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT [Source Host] [High Port] [Domain Controller] 445 SMB2
Close Response [Domain Controller] 445 [Source Host] [High Port] SMB2
29 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT\SecEdit [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT\SecEdit [Domain Controller] 445 [Source Host] [High Port] SMB2
30 GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT\SecEdit [Source Host] [High Port] [Domain Controller] 445 SMB2
GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
31 Find Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT\SecEdit SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT\SecEdit SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Source Host] [High Port] [Domain Controller] 445 SMB2
Find Response SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Response, Error: STATUS_NO_MORE_FILES SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Domain Controller] 445 [Source Host] [High Port] SMB2
32 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT\SecEdit;GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT\SecEdit;GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
33 Close Request File: [Domain Name]\Policies\{[GUID]}\Machine\Microsoft\Windows NT\SecEdit [Source Host] [High Port] [Domain Controller] 445 SMB2
Close Response [Domain Controller] 445 [Source Host] [High Port] SMB2
34 Create Request File: [Domain Name]\Policies\{[GUID]}\USER [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\USER [Domain Controller] 445 [Source Host] [High Port] SMB2
35 GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO File: [Domain Name]\Policies\{[GUID]}\USER [Source Host] [High Port] [Domain Controller] 445 SMB2
GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
36 Find Request File: [Domain Name]\Policies\{[GUID]}\USER SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Request File: [Domain Name]\Policies\{[GUID]}\USER SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Source Host] [High Port] [Domain Controller] 445 SMB2
Find Response SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Response, Error: STATUS_NO_MORE_FILES SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Domain Controller] 445 [Source Host] [High Port] SMB2
37 Create Request File: [Domain Name]\Policies\{[GUID]}\USER;GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\USER;GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
38 Close Request File: [Domain Name]\Policies\{[GUID]}\USER [Source Host] [High Port] [Domain Controller] 445 SMB2
Close Response [Domain Controller] 445 [Source Host] [High Port] SMB2
39 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences [Domain Controller] 445 [Source Host] [High Port] SMB2
40 GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences [Source Host] [High Port] [Domain Controller] 445 SMB2
GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
41 Find Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Source Host] [High Port] [Domain Controller] 445 SMB2
Find Response SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Response, Error: STATUS_NO_MORE_FILES SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Domain Controller] 445 [Source Host] [High Port] SMB2
42 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences;GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences;GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
43 Close Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences [Source Host] [High Port] [Domain Controller] 445 SMB2
Close Response [Domain Controller] 445 [Source Host] [High Port] SMB2
44 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups [Domain Controller] 445 [Source Host] [High Port] SMB2
45 GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups [Source Host] [High Port] [Domain Controller] 445 SMB2
GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
46 Find Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Source Host] [High Port] [Domain Controller] 445 SMB2
Find Response SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: *;Find Response, Error: STATUS_NO_MORE_FILES SMB2_FIND_ID_BOTH_DIRECTORY_INFO Pattern: * [Domain Controller] 445 [Source Host] [High Port] SMB2
47 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups;GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups;GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
48 Close Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups [Source Host] [High Port] [Domain Controller] 445 SMB2
Close Response [Domain Controller] 445 [Source Host] [High Port] SMB2
49 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups\Groups.xml;GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups\Groups.xml;GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
50 GetInfo Request FILE_INFO/SMB2_FILE_NETWORK_OPEN_INFO File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups\Groups.xml [Source Host] [High Port] [Domain Controller] 445 SMB2
GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
51 Close Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups\Groups.xml [Source Host] [High Port] [Domain Controller] 445 SMB2
Close Response [Domain Controller] 445 [Source Host] [High Port] SMB2
52 Create Request File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups\Groups.xml [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups\Groups.xml [Domain Controller] 445 [Source Host] [High Port] SMB2
53 Read Request Len:[Length] Off:0 File: [Domain Name]\Policies\{[GUID]}\Machine\Preferences\Groups\Groups.xml [Source Host] [High Port] [Domain Controller] 445 SMB2
Read Response [Domain Controller] 445 [Source Host] [High Port] SMB2
54 Tree Connect Request Tree: \\[Domain Controller's NetBIOS Name]\IPC$ [Source Host] [High Port] [Domain Controller] 445 SMB2
Tree Connect Response [Domain Controller] 445 [Source Host] [High Port] SMB2
55 Create Request File: lsarpc [Source Host] [High Port] [Domain Controller] 445 SMB2
Create Response File: lsarpc [Domain Controller] 445 [Source Host] [High Port] SMB2
56 GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: lsarpc [Source Host] [High Port] [Domain Controller] 445 SMB2
GetInfo Response [Domain Controller] 445 [Source Host] [High Port] SMB2
57 Read Request Len:1024 Off:0 File: lsarpc [Source Host] [High Port] [Domain Controller] 445 SMB2
Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK [Domain Controller] 445 [Source Host] [High Port] DCERPC
58 Close Request File: lsarpc [Source Host] [High Port] [Domain Controller] 445 SMB2
Close Response [Domain Controller] 445 [Source Host] [High Port] SMB2
59 Tree Disconnect Request [Source Host] [High Port] [Domain Controller] 445 SMB2
Tree Disconnect Response [Domain Controller] 445 [Source Host] [High Port] SMB2