net Command (net user/group)

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Adding or Deleting a User/Group
Description
Adds a user account in a host or domain.
Example of Presumed Tool Use During an Attack
This tool is used to create an account and log in to another host.

- Tool Operation Overview

Item Source Host Domain Controller
OS Windows Windows Server
Belonging to Domain Required
Rights Administrator
Service Workstation Active Directory Domain Services

- Information Acquired from Log

Standard Settings
  • Source host
    • Execution history (Prefetch)
  • Domain Controller
    • A record that a user group was added, changed, or deleted (audit policy)
Additional Settings
  • Source host
    • Execution history (audit policy, Sysmon)
    • User name, password, or group name specified by the command line (Sysmon)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command (net user [User Name to Add] [Password] /add /domain)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\net.exe)
  • User: Execute as user
2 Security 4689 Process Termination A process has exited.
  • Process Information > Exit Status: Process return value (0x0)
  • Subject > Account Name: Name of the account that executed the tool (account name)
  • Log Date and Time: Process terminated date and time (local time)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\net.exe)
  • Subject > Security ID: SID of the user who executed the tool (user SID)
3 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • ParentImage: Executable file of the parent process (C:\Windows\System32\net.exe)
  • CommandLine: Command line of the execution command (net1 user [User Name to Add] [Password] /add /domain)
  • ParentCommandLine: Command line of the parent process (net user [User Name to Add] [Password] /add /domain)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Image: Path to the executable file (C:\Windows\System32\net1.exe)

Prefetch

- Domain Controller

Event log

# Log Event ID Task Category Event Details
1 Security 4661 SAM A handle to an object was requested.
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target object name (DN)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Access Request Information > Access: Requested privilege (DELETE)
  • Object > Object Server: SecurityAccount Manager (Security Account Manager)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Object > Object Type: Target category (SAM_DOMAIN)
2 Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-)
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version (-)
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain])
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
3 Security 4737 Security Group Management A security-enabled global group was changed.
  • Changed Attribute > SID History: Changed history of the SID (-)
  • Group > Security ID: Changed SID of the group (SID of the domain administrator group)
  • Group > Group Domain: Changed domain to which the group belongs (Domain)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Additional Information > Privileges: Changed privileges of the group (-)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Changed Attribute > SAM Account Name: Changed name of the SAM account (-)
  • Group > Group Name: Changed name of the group (Domain Admins)
4 Security 4728 Security Group Management A member was added to a security-enabled global group.
  • Group > Security ID: SID of the group to which a member was added (SID of the domain administrator group)
  • Group > Group Domain: Domain that the group to which a member was added belongs to (Domain)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Member > Security ID: SID of the user who was added to the global group (SID of the created user)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Member > Account Name: Name of the account that was added to the global group (CN=[Created User Name],CN=[OU],DC=[DN])
  • Group > Group Name: Name of the group to which a member was added (Domain Admins)
5 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (Domain Controller port: 445)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
6 Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])
7 Security 4661 SAM A handle to an object was requested.
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target object name (DC=[DN])
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Access Request Information > Access: Requested privilege (DELETE)
  • Object > Object Server: SecurityAccount Manager (Security Account Manager)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Object > Object Type: Target category (SAM_DOMAIN)
8 Security 4624 Logon An account was successfully logged on.
  • Network Information > Source Port: Source port number
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-)
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain])
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Process Information > Process Name: Path to the executable file
  • Network Information > Source Network Address: IP address that requested the logon
9 Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])
10 Security 4726 User Account Management A user account was deleted.
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Target Account > Account Domain: Domain that the account for which an attempt was made to reset the password belongs to (Domain)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Target Account > Account Name: Name of the account for which an attempt was made to reset the password (deleted user name)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Target Account > Security ID: SID of the user for which an attempt was made to reset the password (SID of the general user)
11 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (C:\Windows\System32)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (Domain Controller ports: 445, 88)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
12 Security 4661 SAM A handle to an object was requested.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target object name (DN)
  • Access Request Information > Access: Requested privilege (DELETE)
  • Object > Object Server: SecurityAccount Manager (Security Account Manager)
  • Process Information > Process Name: Name of the process that closed the handle (C\Windows\System32\lsass.exe)
  • Object > Object Type: Target category (SAM_DOMAIN)
13 Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal) (0x0)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-)
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain])
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file (-)
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication (0x0)
14 Security 4722 User Account Management A user account was enabled.
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Target Account > Account Domain: Domain to which the enabled account belongs (Domain)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Target Account > Account Name: Name of the enabled account (name of the added user)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Target Account > Security ID: SID of the enabled user (SID of the general user)
15 Security 4720 User Account Management A user account was created.
  • Attribute > Old UAC Value: Old UAC value for the user that was created (0x0)
  • Attribute > User Account Control: Account control for the user that was created
  • Attribute > Account Expiration Date: Date on which the created user account expires
  • Attribute > Password Last Set: Last set password for the created user
  • Attribute > SID History: SID history of the created user (-)
  • New Account > Account Name: Name of the created account (name of the added user)
  • Attribute > Logon Time: Time at which the created user logged on
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Attribute > New UAC Value: New UAC value for the created user (0x15)
  • Attribute > Profile Path: Path to profile of the created user
  • Attribute > User Principal Name: Principal name of the created user (-)
  • Attribute > Allowed Delegation Destination: Delegation destination allowed for the created user (-)
  • New Account > Security ID: SID of the created user (SID of the general user)
  • Attribute > Primary Group ID: Primary group ID to which the created user belongs (513)
  • Attribute > Display Name: Display name for the created user
  • Attribute > SAM Account Name: SAM account name for the created user (added user name)
  • New Account > Account Domain: Domain to which the created user belongs (Domain)
  • Attribute > User Workstation: Workstation name for the created user
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Additional Information > Privileges: Privilege information for the created user (-)
  • Attribute > Home Directory: Home directory for the created user
  • Attribute > Script Path: Script path for the created user
  • Attribute > Home Drive: Home drive for the created user
  • Attribute > User Parameter: Parameter for the created user
16 Security 4738 User Account Management A user account was changed.
  • Changed Attribute > Home Drive: Changed home drive of the user (-)
  • Target Account > Account Name: Changed name of the group (added user name)
  • Changed Attribute > Display Name: Changed display name of the user
  • Changed Attribute > Script Path: Changed path to the script of the user (-)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Changed Attribute > Allowed Delegation Destination: Changed delegation destination allowed for the user (-)
  • Target Account > Account Domain: Changed domain to which the group belongs (Domain)
  • Changed Attribute > User Workstation: Changed name of workstation of the user (-)
  • Changed Attribute > SAM Account Name: Changed name of SAM account of the user (-)
  • Target Account > Security ID: Changed SID of the group (SID of the general user)
  • Changed Attribute > SID History: Changed history of SID of the user (-)
  • Changed Attribute > Account Expiration Date: Changed date on which the user account expires
  • Changed Attribute > Password Last Set: Changed password of the user that was last set (execution time)
  • Changed Attribute > User Principal Name: Changed principal name of the user (-)
  • Changed Attribute > User Parameter: Changed parameter of the user (-)
  • Changed Attribute > Primary Group ID: Changed primary group ID to which the user belongs (-)
  • Changed Attribute > New UAC Value: New UAC value for the changed user (0x10)
  • Changed Attribute > Old UAC Value: Old UAC value for the changed user (0x15)
  • Changed Attribute > User Account Control: Changed account control for the user (the account is enabled)
  • Changed Attribute > Logon Time: Changed time at which the user logged on (-)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Changed Attribute > Home Directory: Changed home directory of the user (-)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Additional Information > Privileges: Changed privileges of the user (-)
  • Changed Attribute > Profile Path: Changed path to the profile of the user (-)
17 Security 4724 User Account Management An attempt was made to reset an account password.
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Target Account > Account Domain: Domain that the account for which an attempt was made to reset the password belongs to (Domain)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Target Account > Account Name: Name of the account for which an attempt was made to reset the password (added user name)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Target Account > Security ID: SID of the user for which an attempt was made to reset the password (SID of the general user)
18 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (Domain Controller port: 445)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
19 Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])

- Details: Source Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (net user [User Name to Add] [Password] /add /domain)
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\net.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\net.exe)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (net1 user [User Name to Add] [Password] /add /domain)
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process (net user [User Name to Add] [Password] /add /domain)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\net1.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to the parent process that created the new process (C:\Windows\System32\net.exe)
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net1.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
3 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access
  • SourceImage: Path to access source process (C:\Windows\system32\net.exe)
  • TargetImage: Path to the access destination process (C:\Windows\system32\net1.exe)
4 Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (17=UDP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (389)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (17=UDP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
5 Security 4703 Token Right Adjusted Events A token right was adjusted.
  • Disabled Privileges: Disabled privileges (-)
  • Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain (S-1-0-0/[Account Name]/[Domain])
  • Target Account > Logon ID: Session ID of the target user
  • Enabled Privileges: Enabled privileges (SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeUndockPrivilege, SeManageVolumePrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Source Host Name]/[Domain Name])
  • Subject > Logon ID: Session ID of the user who executed the process
  • Process Information > Process ID: ID of the executed process
  • Process Information > Process Name: Name of the process executed (C:\Windows\System32\lsass.exe)
6 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (445)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID (4)
  • Application Information > Application Name: Execution process (System)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (445)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID (4)
7 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (88)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (88)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
8 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including SYNCHRONIZE and WriteAttributes)
  • Object > Object Name: Target file name (C:\Users\[Account Name]\AppData\Roaming\Microsoft\Credentials)
  • Subject > Account Name: Name of the account that executed the tool
  • Subject > Account Domain: Domain to which the account belongs
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target file name (C:\Users\[Account Name]\AppData\Roaming\Microsoft\Credentials)
  • Subject > Account Name: Name of the account that executed the tool
  • Subject > Account Domain: Domain to which the account belongs
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
9 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\net1.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Exit Status: Process return value (0x0)
  • Subject > Account Name: Name of the account that executed the tool (account name)
  • Log Date and Time: Process terminated date and time (local time)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\net1.exe)
  • Subject > Security ID: SID of the user who executed the tool (user SID)
  • Subject > Logon ID: Session ID of the user who executed the process
10 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL/-/[Hexadecimal])
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
11 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\net.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\net.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
12 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NET.EXE-[ALPHANUM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NET.EXE-[ALPHANUM].pf)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
13 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (net group "domain admins" [User Name to Add] /add /domain)
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\net.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
14 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\net.exe)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (C:\Windows\system32\net1 group "domain admins" [User Name to Add] /add /domain)
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process (net group "domain admins" [User Name to Add] /add /domain)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\net1.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to the parent process that created the new process (C:\Windows\System32\net.exe)
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net1.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
15 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1fffff)
  • SourceImage: Path to access source process (C:\Windows\System32\net.exe)
  • TargetImage: Path to the access destination process (C:\Windows\System32\net1.exe)
16 Security 4703 Token Right Adjusted Events A token right was adjusted.
  • Disabled Privileges: Disabled privileges (-)
  • Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain (S-1-0-0/[Account Name]/[Domain])
  • Target Account > Logon ID: Session ID of the target user
  • Enabled Privileges: Enabled privileges (SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeUndockPrivilege, SeManageVolumePrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Source Host Name]$/[Domain Name])
  • Subject > Logon ID: Session ID of the user who executed the process
  • Process Information > Process ID: ID of the executed process
  • Process Information > Process Name: Name of the process executed (C:\Windows\System32\lsass.exe)
17 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (445)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID (4)
  • Application Information > Application Name: Execution process (System)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (445)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID (4)
18 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\net1.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\net1.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
19 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NET1.EXE-[ALPHANUM].pf)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NET1.EXE-[ALPHANUM].pf)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
20 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\net.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Exit Status: Process return value (0x0)
  • Subject > Account Name: Name of the account that executed the tool (account name)
  • Log Date and Time: Process terminated date and time (local time)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\net.exe)
  • Subject > Security ID: SID of the user who executed the tool (user SID)
  • Subject > Logon ID: Session ID of the user who executed the process
21 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NET.EXE-[RANDOM].pf)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NET.EXE-[RANDOM].pf)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
22 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (net user [User Name to Create] /delete /domain)
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\net.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
23 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\net.exe)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (C:\Windows\System32\net1 user netusertest /delete /domain)
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process (net user [User Name to Create] /delete /domain)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\net1.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to the parent process that created the new process (C:\Windows\System32\net.exe)
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net1.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
24 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access
  • SourceImage: Path to access source process (C:\Windows\System32\net.exe)
  • TargetImage: Path to the access destination process (C:\Windows\System32\net1.exe)
25 Security 4703 Token Right Adjusted Events A token right was adjusted.
  • Disabled Privileges: Disabled privileges (-)
  • Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain (S-1-0-0/[Account Name]/[Domain])
  • Target Account > Logon ID: Session ID of the target user
  • Enabled Privileges: Enabled privileges (SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeUndockPrivilege, SeManageVolumePrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Source Host Name]/[Domain Name])
  • Subject > Logon ID: Session ID of the user who executed the process
  • Process Information > Process ID: ID of the executed process
  • Process Information > Process Name: Name of the process executed (C:\Windows\System32\lsass.exe)
26 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (445)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID (4)
  • Application Information > Application Name: Execution process (System)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (445)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID (4)
27 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\net1.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Exit Status: Process return value (0x0)
  • Subject > Account Name: Name of the account that executed the tool (account name)
  • Log Date and Time: Process terminated date and time (local time)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\net1.exe)
  • Subject > Security ID: SID of the user who executed the tool (user SID)
  • Subject > Logon ID: Session ID of the user who executed the process
28 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\net.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Exit Status: Process return value (0x0)
  • Subject > Account Name: Name of the account that executed the tool (account name)
  • Log Date and Time: Process terminated date and time (local time)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\net.exe)
  • Subject > Security ID: SID of the user who executed the tool (user SID)
  • Subject > Logon ID: Session ID of the user who executed the process
29 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
30 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NET.EXE-[RANDOM].pf)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NET.EXE-[RANDOM].pf)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)

- USN Journal

# File Name Process Attribute
1 NET1.EXE-[RANDOM].pf FILE_CREATE archive+not_indexed
NET1.EXE-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
NET1.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed
2 NET.EXE-[RANDOM].pf FILE_CREATE archive+not_indexed
NET.EXE-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
NET.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed
3 NET1.EXE-[RANDOM].pf DATA_TRUNCATION archive+not_indexed
NET1.EXE-[RANDOM].pf DATA_EXTEND+DATA_TRUNCATION archive+not_indexed
NET1.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+DATA_TRUNCATION archive+not_indexed
4 NET.EXE-[RANDOM].pf DATA_TRUNCATION archive+not_indexed
NET.EXE-[RANDOM].pf DATA_EXTEND+DATA_TRUNCATION archive+not_indexed
NET.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+DATA_TRUNCATION archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\NET1.EXE-[RANDOM].pf FILE ALLOCATED
2 [Drive Name]:\Windows\Prefetch\NET.EXE-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf NET.EXE C:\WINDOWS\SYSTEM32\NET1.EXE Last Run Time (last execution date and time)
2 C:\Windows\Prefetch\NET.EXE-[RANDOM].pf NET.EXE C:\WINDOWS\SYSTEM32\NET.EXE Last Run Time (last execution date and time)

- Details: Destination Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (udp)
  • DestinationPort: Destination port number (high port)
  • DestinationIp: Destination IP address (source host IP address)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number
  • SourcePort: Source port number (389)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (389)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (17=UDP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (445)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (445)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (88)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (88)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
Security 4768 Kerberos Authentication Service A Kerberos authentication ticket (TGT) was requested.
  • Network Information > Client Address: Source IP address that requested the ticket (source host)
  • Account Information > Supplied Realm Name: Account domain (domain)
  • Additional Information > Ticket Option: Ticket settings (0x40810010)
  • Account Information > Account Name: Name of the account from which the ticket was requested (administrator)
  • Additional Information > Result Code: Ticket processing result (0x0)
  • Network Information > Client Port: Source port number of the ticket request (high port)
  • Account Information > User ID: SID of the account (SID of the administrator)
4 Security 4769 A Kerberos service ticket was requested A Kerberos service ticket was requested.
  • Network Information > Client Address: Source IP address that requested the ticket (source host)
  • Account Information > Account Domain: Account domain (domain)
  • Account Information > Account Name: Name of the account from which the ticket was requested ([administrator]@[Domain])
  • Additional Information > Ticket Option: Ticket settings (0x40810000)
  • Additional Information > Error Code: Ticket processing result (0x0)
  • Service Information > Service Name: Ticket service name ([Domain Controller Host Name]$)
  • Account Information > Logon GUID: Session ID of the logon
  • Service Information > Service ID: SID of the service (SID of the standard user)
  • Network Information > Client Port: Source port number of the ticket request (high port)
Security 4769 A Kerberos service ticket was requested A Kerberos service ticket was requested.
  • Network Information > Client Address: Source IP address that requested the ticket (source host)
  • Account Information > Account Domain: Account domain (domain)
  • Account Information > Account Name: Name of the account from which the ticket was requested ([administrator]@[Domain])
  • Additional Information > Ticket Option: Ticket settings (0x40810000)
  • Additional Information > Error Code: Ticket processing result (0x0)
  • Service Information > Service Name: Service name of the ticket (krbtgt)
  • Account Information > Logon GUID: Session ID of the logon
  • Service Information > Service ID: SID of the service (SID of the KDC service)
  • Network Information > Client Port: Source port number of the ticket request (high port)
5 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
6 Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal) (0x0)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-)
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain])
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file (-)
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication (0x0)
7 Security 5140 File Sharing A network share object was accessed.
  • Network Information > Source Port: Source port number (high port)
  • Shared Information > Share Path: Shared path
  • Network Information > Source/Source Port: Execution source host/Port number
  • Access Request Information > Access: Requested privileges (ReadData)
  • Shared Information > Share Name: Share name used (\*\IPC$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Shared path
  • Access Request Information > Access: Requested privilege
  • Shared Information > Share Name: Share name (\*\IPC$)
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Relative Target Name: Relative target name from the share path (samr)
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
8 Security 4661 SAM A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Audit Success: Success or failure (access successful)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target object name (DN)
  • Access Request Information > Access: Requested privilege (DELETE)
  • Object > Object Server: SecurityAccount Manager (Security Account Manager)
  • Process Information > Process Name: Name of the process that closed the handle (C\Windows\System32\lsass.exe)
  • Object > Object Type: Target category (SAM_DOMAIN)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4661 SAM A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Audit Success: Success or failure (access successful)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target object name (DN)
  • Access Request Information > Access: Requested privileges (ListAccounts)
  • Object > Object Server: SecurityAccount Manager (Security Account Manager)
  • Process Information > Process Name: Name of the process that closed the handle ({bf967a90-0de6-11d0-a285-00aa003049e2})
  • Object > Object Type: Target category (SAM_DOMAIN)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4720 User Account Management A user account was created.
  • Attribute > Old UAC Value: Old UAC value for the user that was created (0x0)
  • Attribute > User Account Control: Account control for the user that was created
  • Attribute > Account Expiration Date: Date on which the created user account expires
  • Attribute > Password Last Set: Last set password for the created user
  • Attribute > SID History: SID history of the created user (-)
  • New Account > Account Name: Name of the created account (name of the added user)
  • Attribute > Logon Time: Time at which the created user logged on
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Attribute > New UAC Value: New UAC value for the created user (0x15)
  • Attribute > Profile Path: Path to profile of the created user
  • Attribute > User Principal Name: Principal name of the created user (-)
  • Attribute > Allowed Delegation Destination: Delegation destination allowed for the created user (-)
  • New Account > Security ID: SID of the created user (SID of the general user)
  • Attribute > Primary Group ID: Primary group ID to which the created user belongs (513)
  • Attribute > Display Name: Display name for the created user
  • Attribute > SAM Account Name: SAM account name for the created user (added user name)
  • New Account > Account Domain: Domain to which the created user belongs (Domain)
  • Attribute > User Workstation: Workstation name for the created user
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Additional Information > Privileges: Privilege information for the created user (-)
  • Attribute > Home Directory: Home directory for the created user
  • Attribute > Script Path: Script path for the created user
  • Attribute > Home Drive: Home drive for the created user
  • Subject > Logon ID: Session ID of the user who executed the process
  • Attribute > User Parameter: Parameter for the created user
Security 4722 User Account Management A user account was enabled.
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Target Account > Account Domain: Domain to which the enabled account belongs (Domain)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Target Account > Account Name: Name of the enabled account (name of the added user)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Target Account > Security ID: SID of the enabled user (SID of the general user)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4724 User Account Management An attempt was made to reset an account password.
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Target Account > Account Domain: Domain that the account for which an attempt was made to reset the password belongs to (Domain)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Target Account > Account Name: Name of the account for which an attempt was made to reset the password (added user name)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Target Account > Security ID: SID of the user for which an attempt was made to reset the password (SID of the general user)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4738 User Account Management A user account was changed.
  • Changed Attribute > Home Drive: Changed home drive of the user (-)
  • Target Account > Account Name: Changed name of the group (added user name)
  • Changed Attribute > Display Name: Changed display name of the user
  • Changed Attribute > Script Path: Changed path to the script of the user (-)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Changed Attribute > Allowed Delegation Destination: Changed delegation destination allowed for the user (-)
  • Target Account > Account Domain: Changed domain to which the group belongs (Domain)
  • Changed Attribute > User Workstation: Changed name of workstation of the user (-)
  • Changed Attribute > SAM Account Name: Changed name of SAM account of the user (-)
  • Target Account > Security ID: Changed SID of the group (SID of the general user)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Changed Attribute > SID History: Changed history of SID of the user (-)
  • Changed Attribute > Account Expiration Date: Changed date on which the user account expires
  • Changed Attribute > Password Last Set: Changed password of the user that was last set (execution time)
  • Changed Attribute > User Principal Name: Changed principal name of the user (-)
  • Changed Attribute > User Parameter: Changed parameter of the user (-)
  • Changed Attribute > Primary Group ID: Changed primary group ID to which the user belongs (-)
  • Changed Attribute > New UAC Value: New UAC value for the changed user (0x10)
  • Changed Attribute > Old UAC Value: Old UAC value for the changed user (0x15)
  • Changed Attribute > User Account Control: Changed account control for the user (the account is enabled)
  • Changed Attribute > Logon Time: Changed time at which the user logged on (-)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Changed Attribute > Home Directory: Changed home directory of the user (-)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Additional Information > Privileges: Changed privileges of the user (-)
  • Changed Attribute > Profile Path: Changed path to the profile of the user (-)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])
  • Subject > Logon ID: Session ID of the user who executed the authentication
9 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (445)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (445)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
10 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
11 Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-)
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version (-)
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain])
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
12 Security 5140 File Sharing A network share object was accessed.
  • Network Information > Source Port: Source port number (high port)
  • Shared Information > Share Path: Shared path
  • Network Information > Source/Source Port: Execution source host/Port number
  • Access Request Information > Access: Requested privileges (ReadData)
  • Shared Information > Share Name: Share name used (\*\IPC$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Shared path
  • Access Request Information > Access: Requested privilege
  • Shared Information > Share Name: Share name (\*\IPC$)
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Relative Target Name: Relative target name from the share path (samr)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
13 Security 4661 SAM A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target object name (DN)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Access Request Information > Access: Requested privilege (DELETE)
  • Object > Object Server: SecurityAccount Manager (Security Account Manager)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Object > Object Type: Target category (SAM_DOMAIN)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4661 SAM A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target object name (SID of the domain administrator group)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Access Request Information > Access: Requested privilege (DELETE)
  • Object > Object Server: SecurityAccount Manager (Security Account Manager)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Object > Object Type: Target category (SAM_GROUP)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4728 Security Group Management A member was added to a security-enabled global group.
  • Group > Security ID: SID of the group to which a member was added (SID of the domain administrator group)
  • Group > Group Domain: Domain that the group to which a member was added belongs to (Domain)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Member > Security ID: SID of the user who was added to the global group (SID of the created user)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Member > Account Name: Name of the account that was added to the global group (CN=[Created User Name],CN=[OU],DC=[DN])
  • Group > Group Name: Name of the group to which a member was added (Domain Admins)
Security 4737 Security Group Management A security-enabled global group was changed.
  • Changed Attribute > SID History: Changed history of the SID (-)
  • Group > Security ID: Changed SID of the group (SID of the domain administrator group)
  • Group > Group Domain: Changed domain to which the group belongs (Domain)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Additional Information > Privileges: Changed privileges of the group (-)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Changed Attribute > SAM Account Name: Changed name of the SAM account (-)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Group > Group Name: Changed name of the group (Domain Admins)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
14 Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])
  • Subject > Logon ID: Session ID of the user who executed the authentication
15 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (445)
  • SourceHostname: Source host name (Domain Controller host name)
  • SourceIp: Source IP address (Domain Controller IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (445)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
16 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
17 Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-)
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain])
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
18 Security 5140 File Sharing A network share object was accessed.
  • Network Information > Source Port: Source port number (high port)
  • Shared Information > Share Path: Shared path
  • Network Information > Source/Source Port: Execution source host/Port number
  • Access Request Information > Access: Requested privileges (ReadData)
  • Shared Information > Share Name: Share name used (\*\IPC$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Shared path
  • Access Request Information > Access: Requested privilege
  • Shared Information > Share Name: Share name (\*\IPC$)
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Relative Target Name: Relative target name from the share path (samr)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
19 Security 4661 SAM A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target object name (DC=[DN])
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Access Request Information > Access: Requested privilege (DELETE)
  • Object > Object Server: SecurityAccount Manager (Security Account Manager)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Object > Object Type: Target category (SAM_DOMAIN)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4661 SAM A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Audit Success: Success or failure (access successful)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target object name (CN=Builtin,DC=[DN])
  • Access Request Information > Access: Requested privilege (DELETE)
  • Object > Object Server: SecurityAccount Manager (Security Account Manager)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Object > Object Type: Target category (SAM_DOMAIN)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
20 Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Shared path
  • Access Request Information > Access: Requested privilege
  • Shared Information > Share Name: Share name (\*\IPC$)
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Relative Target Name: Relative target name from the share path (samr)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4726 User Account Management A user account was deleted.
  • Subject > Account Name: Name of the account that executed the tool (administrator)
  • Target Account > Account Domain: Domain that the account for which an attempt was made to reset the password belongs to (Domain)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Target Account > Account Name: Name of the account for which an attempt was made to reset the password (deleted user name)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Target Account > Security ID: SID of the user for which an attempt was made to reset the password (SID of the general user)
  • Subject > Logon ID: Session ID of the user who executed the process
21 Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])
  • Subject > Logon ID: Session ID of the user who executed the authentication

- Packet Capture

# Process Source Host Source Port Number Destination Host Destination Port Number Protocol/Application
"net group /add": 16 LookupNames request (the account name to be added to this packet is written as "Names") [Source Host] [High Port] [Destination Host] 445 SAMR
LookupNames response [Destination Host] 445 [Source Host] [High Port] SAMR
"net user /add": 8 Bind: call_id: 2, Fragment: Single, 3 context items: SAMR V1.0 (32bit NDR), SAMR V1.0 (64bit NDR), SAMR V1.0 (6cb71c2c [Source Host] [High Port] [Destination Host] 445 DCERPC
Write Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /add": 9 Read Request Len:1024 Off:0 File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK [Destination Host] 445 [Source Host] [High Port] DCERPC
"net user /add": 2 Session Setup Request [Source Host] [High Port] [Destination Host] 445 SMB2
Session Setup Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /add": 3 Tree Connect Request Tree: \\[Domain Controller]\IPC$ [Source Host] [High Port] [Destination Host] 445 SMB2
Tree Connect Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /add": 1 Negotiate Protocol Request [Source Host] [High Port] [Destination Host] 445 SMB2
Negotiate Protocol Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /add": 6 Create Request File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: samr [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /add": 7 GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
GetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /add": 4 Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO [Source Host] [High Port] [Destination Host] 445 SMB2
Ioctl Response FSCTL_VALIDATE_NEGOTIATE_INFO [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /add": 5 Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO [Source Host] [High Port] [Destination Host] 445 SMB2
Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 19 Close Request File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
Close Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 18 Close request [Source Host] [High Port] [Destination Host] 445 SAMR
Close response [Destination Host] 445 [Source Host] [High Port] SAMR
"net user /delete": 3 Create Request File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: samr [Destination Host] 445 [Source Host] [High Port] SMB2
GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
GetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
Bind: call_id: 2, Fragment: Single, 3 context items: SAMR V1.0 (32bit NDR), SAMR V1.0 (64bit NDR), SAMR V1.0 (6cb71c2c [Source Host] [High Port] [Destination Host] 445 DCERPC
Write Response [Destination Host] 445 [Source Host] [High Port] SMB2
Read Request Len:1024 Off:0 File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK [Destination Host] 445 [Source Host] [High Port] DCERPC
Connect5 request [Source Host] [High Port] [Destination Host] 445 SAMR
Connect5 response [Destination Host] 445 [Source Host] [High Port] SAMR
EnumDomains request [Source Host] [High Port] [Destination Host] 445 SAMR
EnumDomains response [Destination Host] 445 [Source Host] [High Port] SAMR
LookupDomain request, [Source Host] [High Port] [Destination Host] 445 SAMR
LookupDomain response [Destination Host] 445 [Source Host] [High Port] SAMR
OpenDomain request [Source Host] [High Port] [Destination Host] 445 SAMR
OpenDomain response [Destination Host] 445 [Source Host] [High Port] SAMR
OpenDomain request [Source Host] [High Port] [Destination Host] 445 SAMR
OpenDomain response [Destination Host] 445 [Source Host] [High Port] SAMR
LookupNames request (the account name to be deleted from this packet is written as "Names") [Source Host] [High Port] [Destination Host] 445 SAMR
LookupNames response [Destination Host] 445 [Source Host] [High Port] SAMR
OpenUser request [Source Host] [High Port] [Destination Host] 445 SAMR
OpenUser response [Destination Host] 445 [Source Host] [High Port] SAMR
RemoveMemberFromForeignDomain request [Source Host] [High Port] [Destination Host] 445 SAMR
RemoveMemberFromForeignDomain response [Destination Host] 445 [Source Host] [High Port] SAMR
DeleteUser request [Source Host] [High Port] [Destination Host] 445 SAMR
Ioctl Response, Error: STATUS_PENDING [Destination Host] 445 [Source Host] [High Port] SMB2
DeleteUser response [Destination Host] 445 [Source Host] [High Port] SAMR
Close request [Source Host] [High Port] [Destination Host] 445 SAMR
Close response [Destination Host] 445 [Source Host] [High Port] SAMR
Close request [Source Host] [High Port] [Destination Host] 445 SAMR
Close response [Destination Host] 445 [Source Host] [High Port] SAMR
Close request [Source Host] [High Port] [Destination Host] 445 SAMR
Close response [Destination Host] 445 [Source Host] [High Port] SAMR
Close Request File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
Close Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 20 Tree Disconnect Request [Source Host] [High Port] [Destination Host] 445 SMB2
Tree Disconnect Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 21 Session Logoff Request [Source Host] [High Port] [Destination Host] 445 SMB2
Session Logoff Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /delete": 2 Create Request File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: samr [Destination Host] 445 [Source Host] [High Port] SMB2
GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
GetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
Bind: call_id: 2, Fragment: Single, 3 context items: SAMR V1.0 (32bit NDR), SAMR V1.0 (64bit NDR), SAMR V1.0 (6cb71c2c [Source Host] [High Port] [Destination Host] 445 DCERPC
Write Response [Destination Host] 445 [Source Host] [High Port] SMB2
Read Request Len:1024 Off:0 File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK [Destination Host] 445 [Source Host] [High Port] DCERPC
Connect5 request [Source Host] [High Port] [Destination Host] 445 SAMR
Connect5 response [Destination Host] 445 [Source Host] [High Port] SAMR
EnumDomains request [Source Host] [High Port] [Destination Host] 445 SAMR
EnumDomains response [Destination Host] 445 [Source Host] [High Port] SAMR
LookupDomain request, [Source Host] [High Port] [Destination Host] 445 SAMR
LookupDomain response [Destination Host] 445 [Source Host] [High Port] SAMR
OpenDomain request [Source Host] [High Port] [Destination Host] 445 SAMR
OpenDomain response [Destination Host] 445 [Source Host] [High Port] SAMR
OpenDomain request [Source Host] [High Port] [Destination Host] 445 SAMR
OpenDomain response [Destination Host] 445 [Source Host] [High Port] SAMR
LookupNames request (the account name to be deleted from this packet is written as "Names") [Source Host] [High Port] [Destination Host] 445 SAMR
LookupNames response [Destination Host] 445 [Source Host] [High Port] SAMR
OpenUser request [Source Host] [High Port] [Destination Host] 445 SAMR
OpenUser response [Destination Host] 445 [Source Host] [High Port] SAMR
QueryUserInfo request [Source Host] [High Port] [Destination Host] 445 SAMR
QueryUserInfo response [Destination Host] 445 [Source Host] [High Port] SAMR
QuerySecurity request [Source Host] [High Port] [Destination Host] 445 SAMR
QuerySecurity response [Destination Host] 445 [Source Host] [High Port] SAMR
GetGroupsForUser request [Source Host] [High Port] [Destination Host] 445 SAMR
GetGroupsForUser response [Destination Host] 445 [Source Host] [High Port] SAMR
GetAliasMembership request [Source Host] [High Port] [Destination Host] 445 SAMR
GetAliasMembership response [Destination Host] 445 [Source Host] [High Port] SAMR
Close request [Source Host] [High Port] [Destination Host] 445 SAMR
Close response [Destination Host] 445 [Source Host] [High Port] SAMR
Close request [Source Host] [High Port] [Destination Host] 445 SAMR
Close response [Destination Host] 445 [Source Host] [High Port] SAMR
Close request [Source Host] [High Port] [Destination Host] 445 SAMR
Close response [Destination Host] 445 [Source Host] [High Port] SAMR
Close request [Source Host] [High Port] [Destination Host] 445 SAMR
Close response [Destination Host] 445 [Source Host] [High Port] SAMR
Close Request File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
Close Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /add": 21 Session Logoff Request [Source Host] [High Port] [Destination Host] 445 SMB2
Session Logoff Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /add": 20 Tree Disconnect Request [Source Host] [High Port] [Destination Host] 445 SMB2
Tree Disconnect Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /delete": 4 Tree Disconnect Request [Source Host] [High Port] [Destination Host] 445 SMB2
Tree Disconnect Response [Destination Host] 445 [Source Host] [High Port] SMB2
Session Logoff Request [Source Host] [High Port] [Destination Host] 445 SMB2
Session Logoff Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 9 Read Request Len:1024 Off:0 File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK [Destination Host] 445 [Source Host] [High Port] DCERPC
"net group /add": 8 Bind: call_id: 2, Fragment: Single, 3 context items: SAMR V1.0 (32bit NDR), SAMR V1.0 (64bit NDR), SAMR V1.0 (6cb71c2c [Source Host] [High Port] [Destination Host] 445 DCERPC
Write Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /delete": 1 Negotiate Protocol Request [Source Host] [High Port] [Destination Host] 445 SMB2
Negotiate Protocol Response [Destination Host] 445 [Source Host] [High Port] SMB2
Session Setup Request [Source Host] [High Port] [Destination Host] 445 SMB2
Session Setup Response [Destination Host] 445 [Source Host] [High Port] SMB2
Tree Connect Request Tree: \\[Domain Controller]\IPC$ [Source Host] [High Port] [Destination Host] 445 SMB2
Tree Connect Response [Destination Host] 445 [Source Host] [High Port] SMB2
Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO [Source Host] [High Port] [Destination Host] 445 SMB2
Ioctl Response FSCTL_VALIDATE_NEGOTIATE_INFO [Destination Host] 445 [Source Host] [High Port] SMB2
Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO [Source Host] [High Port] [Destination Host] 445 SMB2
Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 5 Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO [Source Host] [High Port] [Destination Host] 445 SMB2
Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 4 Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO [Source Host] [High Port] [Destination Host] 445 SMB2
Ioctl Response FSCTL_VALIDATE_NEGOTIATE_INFO [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 7 GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
GetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 6 Create Request File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: samr [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 1 Negotiate Protocol Request [Source Host] [High Port] [Destination Host] 445 SMB2
Negotiate Protocol Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 3 Tree Connect Request Tree: \\[Domain Controller]\IPC$ [Source Host] [High Port] [Destination Host] 445 SMB2
Tree Connect Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 2 Session Setup Request [Source Host] [High Port] [Destination Host] 445 SMB2
Session Setup Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 11 EnumDomains request [Source Host] [High Port] [Destination Host] 445 SAMR
EnumDomains response [Destination Host] 445 [Source Host] [High Port] SAMR
"net group /add": 10 Connect5 request [Source Host] [High Port] [Destination Host] 445 SAMR
Connect5 response [Destination Host] 445 [Source Host] [High Port] SAMR
"net group /add": 13 OpenDomain request [Source Host] [High Port] [Destination Host] 445 SAMR
OpenDomain response [Destination Host] 445 [Source Host] [High Port] SAMR
"net group /add": 12 LookupDomain request, [Source Host] [High Port] [Destination Host] 445 SAMR
LookupDomain response [Destination Host] 445 [Source Host] [High Port] SAMR
"net group /add": 15 OpenGroup request [Source Host] [High Port] [Destination Host] 445 SAMR
OpenGroup response [Destination Host] 445 [Source Host] [High Port] SAMR
"net group /add": 14 LookupNames request (the group name to be added to this packet is written as "Names") [Source Host] [High Port] [Destination Host] 445 SAMR
LookupNames response [Destination Host] 445 [Source Host] [High Port] SAMR
"net user /add": 18 Close request [Source Host] [High Port] [Destination Host] 445 SAMR
Close response [Destination Host] 445 [Source Host] [High Port] SAMR
"net user /add": 19 Close Request File: samr [Source Host] [High Port] [Destination Host] 445 SMB2
Close Response [Destination Host] 445 [Source Host] [High Port] SMB2
"net group /add": 17 AddGroupMember request [Source Host] [High Port] [Destination Host] 445 SAMR
Ioctl Response, Error: STATUS_PENDING [Destination Host] 445 [Source Host] [High Port] SMB2
AddGroupMember response [Destination Host] 445 [Source Host] [High Port] SAMR
"net user /add": 10 Connect5 request [Source Host] [High Port] [Destination Host] 445 SAMR
Connect5 response [Destination Host] 445 [Source Host] [High Port] SAMR
"net user /add": 11 EnumDomains request [Source Host] [High Port] [Destination Host] 445 SAMR
EnumDomains response [Destination Host] 445 [Source Host] [High Port] SAMR
"net user /add": 12 LookupDomain request, [Source Host] [High Port] [Destination Host] 445 SAMR
LookupDomain response [Destination Host] 445 [Source Host] [High Port] SAMR
"net user /add": 13 OpenDomain request [Source Host] [High Port] [Destination Host] 445 SAMR
OpenDomain response [Destination Host] 445 [Source Host] [High Port] SAMR
"net user /add": 14 CreateUser2 request, (In the packet, the account name to be added is written as "Account Name".) [Source Host] [High Port] [Destination Host] 445 SAMR
Ioctl Response, Error: STATUS_PENDING [Destination Host] 445 [Source Host] [High Port] SMB2
CreateUser2 response [Destination Host] 445 [Source Host] [High Port] SMB2
"net user /add": 15 QueryUserInfo request [Source Host] [High Port] [Destination Host] 445 SAMR
QueryUserInfo response [Destination Host] 445 [Source Host] [High Port] SAMR
"net user /add": 16 GetUserPwInfo request [Source Host] [High Port] [Destination Host] 445 SAMR
GetUserPwInfo response [Destination Host] 445 [Source Host] [High Port] SAMR
"net user /add": 17 SetUserInfo2 request[Malformed Packet] (In the packet, the password of the added account is sent, though it lacks readability.) [Source Host] [High Port] [Destination Host] 445 SAMR
Ioctl Response, Error: STATUS_PENDING [Destination Host] 445 [Source Host] [High Port] SMB2
SetUserInfo2 response [Destination Host] 445 [Source Host] [High Port] SAMR

- Remarks