1 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (source host IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (source host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (tunnel destination port)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (tunnel destination port)
- Network Information > Destination Address: Destination IP address (source host)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction
- Network Information > Source Address: Source IP address (destination host)
- Application Information > Process ID: Process ID
|
2 |
Security |
4776 |
Credential Validation |
The Domain Controller attempted to validate the credentials for an account.
- Authentication Package: Package used for authentication (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0)
- Logon Account: Account used
- Source Workstation: Host that requested account validation (attacker's host name)
- Error Code: Execution result (0x0)
|
3 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (source host IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (source host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (tunnel destination port)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (tunnel destination port)
- Network Information > Destination Address: Destination IP address (source host)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction
- Network Information > Source Address: Source IP address (destination host)
- Application Information > Process ID: Process ID
|
4 |
Security |
4648 |
Logon |
A logon was attempted using explicit credentials.
- Process Information > Process ID: Process ID that attempted the logon
- Network Information > Port: Source port (high port)
- Account for which Credentials were Used > Account Name: Specified account name
- Subject > Logon ID/Logon GUID: Session ID of the user who executed the authentication
- Subject > Account Domain: Domain to which the account belongs
- Target Server > Target Server Name: Logon destination host name (localhost)
- Process Information > Process Name: Process name that attempted the logon (C:\Windows\System32\winlogon.exe)
- Subject > Account Name: Name of the account that executed the tool
- Subject > Security ID: SID of the user who executed the tool
- Target Server > Additional Information: Additional information on the logon destination host (localhost)
- Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs
- Network Information > Network Address: Logon source host (source host)
|
Security |
4624 |
Logon |
An account was successfully logged on.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
- Network Information > Source Port: Source port number (high port)
- New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
- Logon Type: Logon path, method, etc.
- Network Information > Workstation Name: Name of the host that requested the logon (destination host)
- Process Information > Process Name: Path to the executable file
- Network Information > Source Network Address: IP address that requested the logon (source host)
- Subject > Logon ID: Session ID of the user who executed the authentication
|
Security |
4672 |
Special Logon |
Privileges assigned to a new logon.
- Privileges: Assigned privileges (SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
|
5 |
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |
1149 |
TerminalServices-RemoteConnectionManager |
Remote Desktop Services: User authentication was successful.
- Domain: Domain of the user (destination host name)
- User: User who was using the session
- Source Network Address: Source host address of the session (source host)
|
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational |
24 |
TerminalServices-LocalSessionManager |
Remote Desktop Services: Session has been disconnected.
- User: User who was using the session
- Source Network Address: Source host address of the session (local)
- Session ID: ID of the session (number)
|
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational |
25 |
TerminalServices-LocalSessionManager |
Remote Desktop Services: Session reconnection successful.
- User: User who was using the session
- Source Network Address: Source host address of the session (source host)
- Session ID: ID of the session (number)
|
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational |
24 |
TerminalServices-LocalSessionManager |
Remote Desktop Services: Session has been disconnected.
- User: User who was using the session
- Source Network Address: Source host address of the session (source host)
- Session ID: ID of the session (number)
|
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational |
25 |
TerminalServices-LocalSessionManager |
Remote Desktop Services: Session reconnection successful.
- User: User who was using the session
- Source Network Address: Source host address of the session (local)
- Session ID: ID of the session (number)
|