net Command (net user/group)

Item	Source Host	Domain Controller
OS	Windows	Windows Server
Belonging to Domain	Required
Rights	Administrator
Service	Workstation	Active Directory Domain Services

- Source Host

Event log

#	Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. CommandLine: Command line of the execution command (net user [User Name to Add] [Password] /add /domain) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (C:\Windows\System32\net.exe) User: Execute as user
2	Security	4689	Process Termination	A process has exited. Process Information > Exit Status: Process return value (0x0) Subject > Account Name: Name of the account that executed the tool (account name) Log Date and Time: Process terminated date and time (local time) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Path to the executable file (C:\Windows\System32\net.exe) Subject > Security ID: SID of the user who executed the tool (user SID)
3	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. ParentImage: Executable file of the parent process (C:\Windows\System32\net.exe) CommandLine: Command line of the execution command (net1 user [User Name to Add] [Password] /add /domain) ParentCommandLine: Command line of the parent process (net user [User Name to Add] [Password] /add /domain) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Image: Path to the executable file (C:\Windows\System32\net1.exe)

Prefetch

C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf
C:\Windows\Prefetch\NET.EXE-[RANDOM].pf

- Domain Controller

Event log

#	Log	Event ID	Task Category	Event Details
1	Security	4661	SAM	A handle to an object was requested. Audit Success: Success or failure (access successful) Object > Object Name: Target object name (DN) Subject > Account Name: Name of the account that executed the tool (administrator) Access Request Information > Access: Requested privilege (DELETE) Object > Object Server: SecurityAccount Manager (Security Account Manager) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Object > Object Type: Target category (SAM_DOMAIN)
2	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-) New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Package Name (NTLM only): NTLM version (-) Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) Network Information > Source Port: Source port number New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain]) Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon Detailed Authentication Information > Key Length: Length of the key used for the authentication (0) Process Information > Process Name: Path to the executable file Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos) Network Information > Source Network Address: IP address that requested the logon
3	Security	4737	Security Group Management	A security-enabled global group was changed. Changed Attribute > SID History: Changed history of the SID (-) Group > Security ID: Changed SID of the group (SID of the domain administrator group) Group > Group Domain: Changed domain to which the group belongs (Domain) Subject > Account Name: Name of the account that executed the tool (administrator) Subject > Account Domain: Domain to which the account belongs (domain) Additional Information > Privileges: Changed privileges of the group (-) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Changed Attribute > SAM Account Name: Changed name of the SAM account (-) Group > Group Name: Changed name of the group (Domain Admins)
4	Security	4728	Security Group Management	A member was added to a security-enabled global group. Group > Security ID: SID of the group to which a member was added (SID of the domain administrator group) Group > Group Domain: Domain that the group to which a member was added belongs to (Domain) Subject > Account Name: Name of the account that executed the tool (administrator) Subject > Account Domain: Domain to which the account belongs (domain) Member > Security ID: SID of the user who was added to the global group (SID of the created user) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Member > Account Name: Name of the account that was added to the global group (CN=[Created User Name],CN=[OU],DC=[DN]) Group > Group Name: Name of the group to which a member was added (Domain Admins)
5	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) Image: Path to the executable file (System) ProcessGuid/ProcessId: Process ID (4) User: Execute as user (NT AUTHORITY\SYSTEM) SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (Domain Controller port: 445) DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
6	Security	4634	Logoff	An account was logged off. Logon Type: Logon path, method, etc. (3=Network) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])
7	Security	4661	SAM	A handle to an object was requested. Audit Success: Success or failure (access successful) Object > Object Name: Target object name (DC=[DN]) Subject > Account Name: Name of the account that executed the tool (administrator) Access Request Information > Access: Requested privilege (DELETE) Object > Object Server: SecurityAccount Manager (Security Account Manager) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Object > Object Type: Target category (SAM_DOMAIN)
8	Security	4624	Logon	An account was successfully logged on. Network Information > Source Port: Source port number Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-) New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain]) Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon Process Information > Process Name: Path to the executable file Network Information > Source Network Address: IP address that requested the logon
9	Security	4634	Logoff	An account was logged off. Logon Type: Logon path, method, etc. (3=Network) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])
10	Security	4726	User Account Management	A user account was deleted. Subject > Account Name: Name of the account that executed the tool (administrator) Target Account > Account Domain: Domain that the account for which an attempt was made to reset the password belongs to (Domain) Subject > Account Domain: Domain to which the account belongs (domain) Target Account > Account Name: Name of the account for which an attempt was made to reset the password (deleted user name) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Target Account > Security ID: SID of the user for which an attempt was made to reset the password (SID of the general user)
11	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) Image: Path to the executable file (C:\Windows\System32) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (Domain Controller ports: 445, 88) DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
12	Security	4661	SAM	A handle to an object was requested. Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target object name (DN) Access Request Information > Access: Requested privilege (DELETE) Object > Object Server: SecurityAccount Manager (Security Account Manager) Process Information > Process Name: Name of the process that closed the handle (C\Windows\System32\lsass.exe) Object > Object Type: Target category (SAM_DOMAIN)
13	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) (0x0) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-) New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) Network Information > Source Port: Source port number New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain]) Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon Detailed Authentication Information > Key Length: Length of the key used for the authentication (0) Process Information > Process Name: Path to the executable file (-) Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos) Network Information > Source Network Address: IP address that requested the logon Subject > Logon ID: Session ID of the user who executed the authentication (0x0)
14	Security	4722	User Account Management	A user account was enabled. Subject > Account Name: Name of the account that executed the tool (administrator) Target Account > Account Domain: Domain to which the enabled account belongs (Domain) Subject > Account Domain: Domain to which the account belongs (domain) Target Account > Account Name: Name of the enabled account (name of the added user) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Target Account > Security ID: SID of the enabled user (SID of the general user)
15	Security	4720	User Account Management	A user account was created. Attribute > Old UAC Value: Old UAC value for the user that was created (0x0) Attribute > User Account Control: Account control for the user that was created Attribute > Account Expiration Date: Date on which the created user account expires Attribute > Password Last Set: Last set password for the created user Attribute > SID History: SID history of the created user (-) New Account > Account Name: Name of the created account (name of the added user) Attribute > Logon Time: Time at which the created user logged on Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Attribute > New UAC Value: New UAC value for the created user (0x15) Attribute > Profile Path: Path to profile of the created user Attribute > User Principal Name: Principal name of the created user (-) Attribute > Allowed Delegation Destination: Delegation destination allowed for the created user (-) New Account > Security ID: SID of the created user (SID of the general user) Attribute > Primary Group ID: Primary group ID to which the created user belongs (513) Attribute > Display Name: Display name for the created user Attribute > SAM Account Name: SAM account name for the created user (added user name) New Account > Account Domain: Domain to which the created user belongs (Domain) Attribute > User Workstation: Workstation name for the created user Subject > Account Name: Name of the account that executed the tool (administrator) Subject > Account Domain: Domain to which the account belongs (domain) Additional Information > Privileges: Privilege information for the created user (-) Attribute > Home Directory: Home directory for the created user Attribute > Script Path: Script path for the created user Attribute > Home Drive: Home drive for the created user Attribute > User Parameter: Parameter for the created user
16	Security	4738	User Account Management	A user account was changed. Changed Attribute > Home Drive: Changed home drive of the user (-) Target Account > Account Name: Changed name of the group (added user name) Changed Attribute > Display Name: Changed display name of the user Changed Attribute > Script Path: Changed path to the script of the user (-) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Changed Attribute > Allowed Delegation Destination: Changed delegation destination allowed for the user (-) Target Account > Account Domain: Changed domain to which the group belongs (Domain) Changed Attribute > User Workstation: Changed name of workstation of the user (-) Changed Attribute > SAM Account Name: Changed name of SAM account of the user (-) Target Account > Security ID: Changed SID of the group (SID of the general user) Changed Attribute > SID History: Changed history of SID of the user (-) Changed Attribute > Account Expiration Date: Changed date on which the user account expires Changed Attribute > Password Last Set: Changed password of the user that was last set (execution time) Changed Attribute > User Principal Name: Changed principal name of the user (-) Changed Attribute > User Parameter: Changed parameter of the user (-) Changed Attribute > Primary Group ID: Changed primary group ID to which the user belongs (-) Changed Attribute > New UAC Value: New UAC value for the changed user (0x10) Changed Attribute > Old UAC Value: Old UAC value for the changed user (0x15) Changed Attribute > User Account Control: Changed account control for the user (the account is enabled) Changed Attribute > Logon Time: Changed time at which the user logged on (-) Subject > Account Name: Name of the account that executed the tool (administrator) Changed Attribute > Home Directory: Changed home directory of the user (-) Subject > Account Domain: Domain to which the account belongs (domain) Additional Information > Privileges: Changed privileges of the user (-) Changed Attribute > Profile Path: Changed path to the profile of the user (-)
17	Security	4724	User Account Management	An attempt was made to reset an account password. Subject > Account Name: Name of the account that executed the tool (administrator) Target Account > Account Domain: Domain that the account for which an attempt was made to reset the password belongs to (Domain) Subject > Account Domain: Domain to which the account belongs (domain) Target Account > Account Name: Name of the account for which an attempt was made to reset the password (added user name) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Target Account > Security ID: SID of the user for which an attempt was made to reset the password (SID of the general user)
18	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) Image: Path to the executable file (System) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (Domain Controller port: 445) DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
19	Security	4634	Logoff	An account was logged off. Logon Type: Logon path, method, etc. (3=Network) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])

- Details: Source Host

- Event Log

#	Event Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process CurrentDirectory: Work directory CommandLine: Command line of the execution command (net user [User Name to Add] [Password] /add /domain) IntegrityLevel: Privilege level (High) ParentCommandLine: Command line of the parent process UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Hashes: Hash value of the executable file Image: Path to the executable file (C:\Windows\System32\net.exe)
1	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Source Process Name: Path to parent process that created the new process Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net.exe) Process Information > Token Escalation Type: Presence of privilege escalation Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
2	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process (C:\Windows\System32\net.exe) CurrentDirectory: Work directory CommandLine: Command line of the execution command (net1 user [User Name to Add] [Password] /add /domain) IntegrityLevel: Privilege level (High) ParentCommandLine: Command line of the parent process (net user [User Name to Add] [Password] /add /domain) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Hashes: Hash value of the executable file Image: Path to the executable file (C:\Windows\System32\net1.exe)
2	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Source Process Name: Path to the parent process that created the new process (C:\Windows\System32\net.exe) Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net1.exe) Process Information > Token Escalation Type: Presence of privilege escalation Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
3	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access SourceImage: Path to access source process (C:\Windows\system32\net.exe) TargetImage: Path to the access destination process (C:\Windows\system32\net1.exe)
4	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (17=UDP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
4	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (389) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (Domain Controller) Network Information > Protocol: Protocol used (17=UDP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID
5	Security	4703	Token Right Adjusted Events	A token right was adjusted. Disabled Privileges: Disabled privileges (-) Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain (S-1-0-0/[Account Name]/[Domain]) Target Account > Logon ID: Session ID of the target user Enabled Privileges: Enabled privileges (SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeUndockPrivilege, SeManageVolumePrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Source Host Name]/[Domain Name]) Subject > Logon ID: Session ID of the user who executed the process Process Information > Process ID: ID of the executed process Process Information > Process Name: Name of the process executed (C:\Windows\System32\lsass.exe)
6	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol DestinationIp: Destination IP address (Domain Controller IP address) Image: Path to the executable file (System) DestinationHostname: Destination host name (Domain Controller host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (445) SourcePort: Source port number (high port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID (4) Application Information > Application Name: Execution process (System)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (445) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (Domain Controller) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (System) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID (4)
7	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol DestinationIp: Destination IP address (destination host IP address) Image: Path to the executable file (C:\Windows\System32\lsass.exe) DestinationHostname: Destination host name (destination host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (88) SourcePort: Source port number (high port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (88) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (destination host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID
8	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including SYNCHRONIZE and WriteAttributes) Object > Object Name: Target file name (C:\Users\[Account Name]\AppData\Roaming\Microsoft\Credentials) Subject > Account Name: Name of the account that executed the tool Subject > Account Domain: Domain to which the account belongs Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe) Subject > Security ID: SID of the user who executed the tool Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Audit Success: Success or failure (access successful) Object > Object Name: Target file name (C:\Users\[Account Name]\AppData\Roaming\Microsoft\Credentials) Subject > Account Name: Name of the account that executed the tool Subject > Account Domain: Domain to which the account belongs Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe) Subject > Security ID: SID of the user who executed the tool Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
9	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (C:\Windows\System32\net1.exe)
9	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Process Information > Exit Status: Process return value (0x0) Subject > Account Name: Name of the account that executed the tool (account name) Log Date and Time: Process terminated date and time (local time) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Path to the executable file (C:\Windows\System32\net1.exe) Subject > Security ID: SID of the user who executed the tool (user SID) Subject > Logon ID: Session ID of the user who executed the process
10	Microsoft-Windows-Sysmon/Operational	11	File created (rule: FileCreate)	File created. Image: Path to the executable file (C:\Windows\System32\svchost.exe) ProcessGuid/ProcessId: Process ID TargetFilename: Created file (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf) CreationUtcTime: File creation date and time (UTC)
	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL/-/[Hexadecimal]) Object > Object Name: Target file name (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Audit Success: Success or failure (access successful) Object > Object Name: Target file name (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
11	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (C:\Windows\System32\net.exe)
11	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Exit Status: Process return value (0x0) Log Date and Time: Process terminated date and time (local time) Process Information > Process Name: Path to the executable file (C:\Windows\System32\net.exe) Subject > Logon ID: Session ID of the user who executed the process
12	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\NET.EXE-[ALPHANUM].pf) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\NET.EXE-[ALPHANUM].pf) Audit Success: Success or failure (access successful) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
13	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process CurrentDirectory: Work directory CommandLine: Command line of the execution command (net group "domain admins" [User Name to Add] /add /domain) IntegrityLevel: Privilege level (High) ParentCommandLine: Command line of the parent process UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Hashes: Hash value of the executable file Image: Path to the executable file (C:\Windows\System32\net.exe)
13	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Source Process Name: Path to parent process that created the new process Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net.exe) Process Information > Token Escalation Type: Presence of privilege escalation (1) Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
14	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process (C:\Windows\System32\net.exe) CurrentDirectory: Work directory CommandLine: Command line of the execution command (C:\Windows\system32\net1 group "domain admins" [User Name to Add] /add /domain) IntegrityLevel: Privilege level (High) ParentCommandLine: Command line of the parent process (net group "domain admins" [User Name to Add] /add /domain) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Hashes: Hash value of the executable file Image: Path to the executable file (C:\Windows\System32\net1.exe)
14	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Source Process Name: Path to the parent process that created the new process (C:\Windows\System32\net.exe) Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net1.exe) Process Information > Token Escalation Type: Presence of privilege escalation (1) Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
15	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1fffff) SourceImage: Path to access source process (C:\Windows\System32\net.exe) TargetImage: Path to the access destination process (C:\Windows\System32\net1.exe)
16	Security	4703	Token Right Adjusted Events	A token right was adjusted. Disabled Privileges: Disabled privileges (-) Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain (S-1-0-0/[Account Name]/[Domain]) Target Account > Logon ID: Session ID of the target user Enabled Privileges: Enabled privileges (SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeUndockPrivilege, SeManageVolumePrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Source Host Name]$/[Domain Name]) Subject > Logon ID: Session ID of the user who executed the process Process Information > Process ID: ID of the executed process Process Information > Process Name: Name of the process executed (C:\Windows\System32\lsass.exe)
17	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (destination host IP address) Image: Path to the executable file (System) DestinationHostname: Destination host name (destination host name) ProcessGuid/ProcessId: Process ID (4) User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (445) SourcePort: Source port number (high port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID (4) Application Information > Application Name: Execution process (System)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (445) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (Domain Controller) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (System) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID (4)
18	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (C:\Windows\System32\net1.exe)
18	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Exit Status: Process return value (0x0) Log Date and Time: Process terminated date and time (local time) Process Information > Process Name: Path to the executable file (C:\Windows\System32\net1.exe) Subject > Logon ID: Session ID of the user who executed the process
19	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Object > Object Name: Target file name (C:\Windows\Prefetch\NET1.EXE-[ALPHANUM].pf) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Audit Success: Success or failure (access successful) Object > Object Name: Target file name (C:\Windows\Prefetch\NET1.EXE-[ALPHANUM].pf) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
20	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (C:\Windows\System32\net.exe)
20	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Process Information > Exit Status: Process return value (0x0) Subject > Account Name: Name of the account that executed the tool (account name) Log Date and Time: Process terminated date and time (local time) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Path to the executable file (C:\Windows\System32\net.exe) Subject > Security ID: SID of the user who executed the tool (user SID) Subject > Logon ID: Session ID of the user who executed the process
21	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Object > Object Name: Target file name (C:\Windows\Prefetch\NET.EXE-[RANDOM].pf) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Audit Success: Success or failure (access successful) Object > Object Name: Target file name (C:\Windows\Prefetch\NET.EXE-[RANDOM].pf) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
22	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process CurrentDirectory: Work directory CommandLine: Command line of the execution command (net user [User Name to Create] /delete /domain) IntegrityLevel: Privilege level (High) ParentCommandLine: Command line of the parent process UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Hashes: Hash value of the executable file Image: Path to the executable file (C:\Windows\System32\net.exe)
22	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Source Process Name: Path to parent process that created the new process Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net.exe) Process Information > Token Escalation Type: Presence of privilege escalation (1) Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
23	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process (C:\Windows\System32\net.exe) CurrentDirectory: Work directory CommandLine: Command line of the execution command (C:\Windows\System32\net1 user netusertest /delete /domain) IntegrityLevel: Privilege level (High) ParentCommandLine: Command line of the parent process (net user [User Name to Create] /delete /domain) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Hashes: Hash value of the executable file Image: Path to the executable file (C:\Windows\System32\net1.exe)
23	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Source Process Name: Path to the parent process that created the new process (C:\Windows\System32\net.exe) Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net1.exe) Process Information > Token Escalation Type: Presence of privilege escalation (1) Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
24	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access SourceImage: Path to access source process (C:\Windows\System32\net.exe) TargetImage: Path to the access destination process (C:\Windows\System32\net1.exe)
25	Security	4703	Token Right Adjusted Events	A token right was adjusted. Disabled Privileges: Disabled privileges (-) Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain (S-1-0-0/[Account Name]/[Domain]) Target Account > Logon ID: Session ID of the target user Enabled Privileges: Enabled privileges (SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeUndockPrivilege, SeManageVolumePrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Source Host Name]/[Domain Name]) Subject > Logon ID: Session ID of the user who executed the process Process Information > Process ID: ID of the executed process Process Information > Process Name: Name of the process executed (C:\Windows\System32\lsass.exe)
26	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (Domain Controller IP address) Image: Path to the executable file (System) DestinationHostname: Destination host name (Domain Controller host name) ProcessGuid/ProcessId: Process ID (4) User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (445) SourcePort: Source port number (high port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID (4) Application Information > Application Name: Execution process (System)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (445) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (Domain Controller) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (System) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID (4)
27	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (C:\Windows\System32\net1.exe)
27	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Process Information > Exit Status: Process return value (0x0) Subject > Account Name: Name of the account that executed the tool (account name) Log Date and Time: Process terminated date and time (local time) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Path to the executable file (C:\Windows\System32\net1.exe) Subject > Security ID: SID of the user who executed the tool (user SID) Subject > Logon ID: Session ID of the user who executed the process
28	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (C:\Windows\System32\net.exe)
28	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Process Information > Exit Status: Process return value (0x0) Subject > Account Name: Name of the account that executed the tool (account name) Log Date and Time: Process terminated date and time (local time) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Path to the executable file (C:\Windows\System32\net.exe) Subject > Security ID: SID of the user who executed the tool (user SID) Subject > Logon ID: Session ID of the user who executed the process
29	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Object > Object Name: Target file name (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Audit Success: Success or failure (access successful) Object > Object Name: Target file name (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
30	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Object > Object Name: Target file name (C:\Windows\Prefetch\NET.EXE-[RANDOM].pf) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Audit Success: Success or failure (access successful) Object > Object Name: Target file name (C:\Windows\Prefetch\NET.EXE-[RANDOM].pf) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Subject > Account Name: Name of the account that executed the tool (source host) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)

- USN Journal

#	File Name	Process	Attribute
1	NET1.EXE-[RANDOM].pf	FILE_CREATE	archive+not_indexed
	NET1.EXE-[RANDOM].pf	DATA_EXTEND+FILE_CREATE	archive+not_indexed
	NET1.EXE-[RANDOM].pf	CLOSE+DATA_EXTEND+FILE_CREATE	archive+not_indexed
2	NET.EXE-[RANDOM].pf	FILE_CREATE	archive+not_indexed
	NET.EXE-[RANDOM].pf	DATA_EXTEND+FILE_CREATE	archive+not_indexed
	NET.EXE-[RANDOM].pf	CLOSE+DATA_EXTEND+FILE_CREATE	archive+not_indexed
3	NET1.EXE-[RANDOM].pf	DATA_TRUNCATION	archive+not_indexed
	NET1.EXE-[RANDOM].pf	DATA_EXTEND+DATA_TRUNCATION	archive+not_indexed
	NET1.EXE-[RANDOM].pf	CLOSE+DATA_EXTEND+DATA_TRUNCATION	archive+not_indexed
4	NET.EXE-[RANDOM].pf	DATA_TRUNCATION	archive+not_indexed
	NET.EXE-[RANDOM].pf	DATA_EXTEND+DATA_TRUNCATION	archive+not_indexed
	NET.EXE-[RANDOM].pf	CLOSE+DATA_EXTEND+DATA_TRUNCATION	archive+not_indexed

- MFT

#	Path	Header Flag	Validity
1	[Drive Name]:\Windows\Prefetch\NET1.EXE-[RANDOM].pf	FILE	ALLOCATED
2	[Drive Name]:\Windows\Prefetch\NET.EXE-[RANDOM].pf	FILE	ALLOCATED

- Prefetch

#	Prefetch File	Process Name	Process Path	Information That Can Be Confirmed
1	C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf	NET.EXE	C:\WINDOWS\SYSTEM32\NET1.EXE	Last Run Time (last execution date and time)
2	C:\Windows\Prefetch\NET.EXE-[RANDOM].pf	NET.EXE	C:\WINDOWS\SYSTEM32\NET.EXE	Last Run Time (last execution date and time)

- Details: Destination Host

- Event Log

#	Event Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (udp) DestinationPort: Destination port number (high port) DestinationIp: Destination IP address (source host IP address) DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number Image: Path to the executable file (C:\Windows\System32\lsass.exe) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number SourcePort: Source port number (389) SourceHostname: Source host name (Domain Controller host name) SourceIp: Source IP address (Domain Controller IP address)
1	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (high port) Network Information > Source Port: Source port number (389) Network Information > Destination Address: Destination IP address (source host) Network Information > Protocol: Protocol used (17=UDP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe) Network Information > Direction: Communication direction (inbound) Network Information > Source Address: Source IP address (Domain Controller) Application Information > Process ID: Process ID
2	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (C:\Windows\System32) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (high port) SourcePort: Source port number (445) SourceHostname: Source host name (Domain Controller host name) SourceIp: Source IP address (Domain Controller IP address)
2	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (high port) Network Information > Source Port: Source port number (445) Network Information > Destination Address: Destination IP address (source host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (System) Network Information > Direction: Communication direction (inbound) Network Information > Source Address: Source IP address (Domain Controller) Application Information > Process ID: Process ID
3	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (C:\Windows\System32\lsass.exe) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (high port) SourcePort: Source port number (88) SourceHostname: Source host name (Domain Controller host name) SourceIp: Source IP address (Domain Controller IP address)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (high port) Network Information > Source Port: Source port number (88) Network Information > Destination Address: Destination IP address (source host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe) Network Information > Direction: Communication direction (inbound) Network Information > Source Address: Source IP address (Domain Controller) Application Information > Process ID: Process ID
	Security	4768	Kerberos Authentication Service	A Kerberos authentication ticket (TGT) was requested. Network Information > Client Address: Source IP address that requested the ticket (source host) Account Information > Supplied Realm Name: Account domain (domain) Additional Information > Ticket Option: Ticket settings (0x40810010) Account Information > Account Name: Name of the account from which the ticket was requested (administrator) Additional Information > Result Code: Ticket processing result (0x0) Network Information > Client Port: Source port number of the ticket request (high port) Account Information > User ID: SID of the account (SID of the administrator)
4	Security	4769	A Kerberos service ticket was requested	A Kerberos service ticket was requested. Network Information > Client Address: Source IP address that requested the ticket (source host) Account Information > Account Domain: Account domain (domain) Account Information > Account Name: Name of the account from which the ticket was requested ([administrator]@[Domain]) Additional Information > Ticket Option: Ticket settings (0x40810000) Additional Information > Error Code: Ticket processing result (0x0) Service Information > Service Name: Ticket service name ([Domain Controller Host Name]$) Account Information > Logon GUID: Session ID of the logon Service Information > Service ID: SID of the service (SID of the standard user) Network Information > Client Port: Source port number of the ticket request (high port)
4	Security	4769	A Kerberos service ticket was requested	A Kerberos service ticket was requested. Network Information > Client Address: Source IP address that requested the ticket (source host) Account Information > Account Domain: Account domain (domain) Account Information > Account Name: Name of the account from which the ticket was requested ([administrator]@[Domain]) Additional Information > Ticket Option: Ticket settings (0x40810000) Additional Information > Error Code: Ticket processing result (0x0) Service Information > Service Name: Service name of the ticket (krbtgt) Account Information > Logon GUID: Session ID of the logon Service Information > Service ID: SID of the service (SID of the KDC service) Network Information > Client Port: Source port number of the ticket request (high port)
5	Security	4672	Special Logon	Privileges assigned to a new logon. Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Subject > Logon ID: Session ID of the user who executed the process Subject > Account Domain: Domain to which the account belongs (domain) Subject > Account Name: Name of the account that executed the tool (administrator)
6	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) (0x0) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-) New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) Network Information > Source Port: Source port number New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain]) Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon Detailed Authentication Information > Key Length: Length of the key used for the authentication (0) Process Information > Process Name: Path to the executable file (-) Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos) Network Information > Source Network Address: IP address that requested the logon Subject > Logon ID: Session ID of the user who executed the authentication (0x0)
7	Security	5140	File Sharing	A network share object was accessed. Network Information > Source Port: Source port number (high port) Shared Information > Share Path: Shared path Network Information > Source/Source Port: Execution source host/Port number Access Request Information > Access: Requested privileges (ReadData) Shared Information > Share Name: Share name used (\*\IPC$) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain]) Network Information > Source Address: Source IP address (source host) Subject > Logon ID: Session ID of the user who executed the process
7	Security	5145	Detailed File Share	A network share object was checked to see whether the client can be granted the desired access. Network Information > Source Port: Source port number (high port) Network Information > Object Type: Type of the created object (File) Shared Information > Share Path: Shared path Access Request Information > Access: Requested privilege Shared Information > Share Name: Share name (\*\IPC$) Network Information > Source Address/Source Port: Source IP address/Port number Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Shared Information > Relative Target Name: Relative target name from the share path (samr) Network Information > Source Address: Source IP address (source host) Subject > Logon ID: Session ID of the user who executed the process
8	Security	4661	SAM	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Audit Success: Success or failure (access successful) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target object name (DN) Access Request Information > Access: Requested privilege (DELETE) Object > Object Server: SecurityAccount Manager (Security Account Manager) Process Information > Process Name: Name of the process that closed the handle (C\Windows\System32\lsass.exe) Object > Object Type: Target category (SAM_DOMAIN) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4661	SAM	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Audit Success: Success or failure (access successful) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target object name (DN) Access Request Information > Access: Requested privileges (ListAccounts) Object > Object Server: SecurityAccount Manager (Security Account Manager) Process Information > Process Name: Name of the process that closed the handle ({bf967a90-0de6-11d0-a285-00aa003049e2}) Object > Object Type: Target category (SAM_DOMAIN) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4720	User Account Management	A user account was created. Attribute > Old UAC Value: Old UAC value for the user that was created (0x0) Attribute > User Account Control: Account control for the user that was created Attribute > Account Expiration Date: Date on which the created user account expires Attribute > Password Last Set: Last set password for the created user Attribute > SID History: SID history of the created user (-) New Account > Account Name: Name of the created account (name of the added user) Attribute > Logon Time: Time at which the created user logged on Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Attribute > New UAC Value: New UAC value for the created user (0x15) Attribute > Profile Path: Path to profile of the created user Attribute > User Principal Name: Principal name of the created user (-) Attribute > Allowed Delegation Destination: Delegation destination allowed for the created user (-) New Account > Security ID: SID of the created user (SID of the general user) Attribute > Primary Group ID: Primary group ID to which the created user belongs (513) Attribute > Display Name: Display name for the created user Attribute > SAM Account Name: SAM account name for the created user (added user name) New Account > Account Domain: Domain to which the created user belongs (Domain) Attribute > User Workstation: Workstation name for the created user Subject > Account Name: Name of the account that executed the tool (administrator) Subject > Account Domain: Domain to which the account belongs (domain) Additional Information > Privileges: Privilege information for the created user (-) Attribute > Home Directory: Home directory for the created user Attribute > Script Path: Script path for the created user Attribute > Home Drive: Home drive for the created user Subject > Logon ID: Session ID of the user who executed the process Attribute > User Parameter: Parameter for the created user
	Security	4722	User Account Management	A user account was enabled. Subject > Account Name: Name of the account that executed the tool (administrator) Target Account > Account Domain: Domain to which the enabled account belongs (Domain) Subject > Account Domain: Domain to which the account belongs (domain) Target Account > Account Name: Name of the enabled account (name of the added user) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Target Account > Security ID: SID of the enabled user (SID of the general user) Subject > Logon ID: Session ID of the user who executed the process
	Security	4724	User Account Management	An attempt was made to reset an account password. Subject > Account Name: Name of the account that executed the tool (administrator) Target Account > Account Domain: Domain that the account for which an attempt was made to reset the password belongs to (Domain) Subject > Account Domain: Domain to which the account belongs (domain) Target Account > Account Name: Name of the account for which an attempt was made to reset the password (added user name) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Target Account > Security ID: SID of the user for which an attempt was made to reset the password (SID of the general user) Subject > Logon ID: Session ID of the user who executed the process
	Security	4738	User Account Management	A user account was changed. Changed Attribute > Home Drive: Changed home drive of the user (-) Target Account > Account Name: Changed name of the group (added user name) Changed Attribute > Display Name: Changed display name of the user Changed Attribute > Script Path: Changed path to the script of the user (-) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Changed Attribute > Allowed Delegation Destination: Changed delegation destination allowed for the user (-) Target Account > Account Domain: Changed domain to which the group belongs (Domain) Changed Attribute > User Workstation: Changed name of workstation of the user (-) Changed Attribute > SAM Account Name: Changed name of SAM account of the user (-) Target Account > Security ID: Changed SID of the group (SID of the general user) Subject > Logon ID: Session ID of the user who executed the process Changed Attribute > SID History: Changed history of SID of the user (-) Changed Attribute > Account Expiration Date: Changed date on which the user account expires Changed Attribute > Password Last Set: Changed password of the user that was last set (execution time) Changed Attribute > User Principal Name: Changed principal name of the user (-) Changed Attribute > User Parameter: Changed parameter of the user (-) Changed Attribute > Primary Group ID: Changed primary group ID to which the user belongs (-) Changed Attribute > New UAC Value: New UAC value for the changed user (0x10) Changed Attribute > Old UAC Value: Old UAC value for the changed user (0x15) Changed Attribute > User Account Control: Changed account control for the user (the account is enabled) Changed Attribute > Logon Time: Changed time at which the user logged on (-) Subject > Account Name: Name of the account that executed the tool (administrator) Changed Attribute > Home Directory: Changed home directory of the user (-) Subject > Account Domain: Domain to which the account belongs (domain) Additional Information > Privileges: Changed privileges of the user (-) Changed Attribute > Profile Path: Changed path to the profile of the user (-)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4634	Logoff	An account was logged off. Logon Type: Logon path, method, etc. (3=Network) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain]) Subject > Logon ID: Session ID of the user who executed the authentication
9	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (System) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (high port) SourcePort: Source port number (445) SourceHostname: Source host name (Domain Controller host name) SourceIp: Source IP address (Domain Controller IP address)
9	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (high port) Network Information > Source Port: Source port number (445) Network Information > Destination Address: Destination IP address (source host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (System) Network Information > Direction: Communication direction (inbound) Network Information > Source Address: Source IP address (Domain Controller) Application Information > Process ID: Process ID
10	Security	4672	Special Logon	Privileges assigned to a new logon. Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process
11	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-) New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Package Name (NTLM only): NTLM version (-) Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) Network Information > Source Port: Source port number New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain]) Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon Detailed Authentication Information > Key Length: Length of the key used for the authentication (0) Process Information > Process Name: Path to the executable file Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos) Network Information > Source Network Address: IP address that requested the logon Subject > Logon ID: Session ID of the user who executed the authentication
12	Security	5140	File Sharing	A network share object was accessed. Network Information > Source Port: Source port number (high port) Shared Information > Share Path: Shared path Network Information > Source/Source Port: Execution source host/Port number Access Request Information > Access: Requested privileges (ReadData) Shared Information > Share Name: Share name used (\*\IPC$) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain]) Network Information > Source Address: Source IP address (source host IP address) Subject > Logon ID: Session ID of the user who executed the process
12	Security	5145	Detailed File Share	A network share object was checked to see whether the client can be granted the desired access. Network Information > Source Port: Source port number (high port) Network Information > Object Type: Type of the created object (File) Shared Information > Share Path: Shared path Access Request Information > Access: Requested privilege Shared Information > Share Name: Share name (\*\IPC$) Network Information > Source Address/Source Port: Source IP address/Port number Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Shared Information > Relative Target Name: Relative target name from the share path (samr) Network Information > Source Address: Source IP address (source host IP address) Subject > Logon ID: Session ID of the user who executed the process
13	Security	4661	SAM	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Audit Success: Success or failure (access successful) Object > Object Name: Target object name (DN) Subject > Account Name: Name of the account that executed the tool (administrator) Access Request Information > Access: Requested privilege (DELETE) Object > Object Server: SecurityAccount Manager (Security Account Manager) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Object > Object Type: Target category (SAM_DOMAIN) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4661	SAM	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Audit Success: Success or failure (access successful) Object > Object Name: Target object name (SID of the domain administrator group) Subject > Account Name: Name of the account that executed the tool (administrator) Access Request Information > Access: Requested privilege (DELETE) Object > Object Server: SecurityAccount Manager (Security Account Manager) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Object > Object Type: Target category (SAM_GROUP) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4728	Security Group Management	A member was added to a security-enabled global group. Group > Security ID: SID of the group to which a member was added (SID of the domain administrator group) Group > Group Domain: Domain that the group to which a member was added belongs to (Domain) Subject > Account Name: Name of the account that executed the tool (administrator) Subject > Account Domain: Domain to which the account belongs (domain) Member > Security ID: SID of the user who was added to the global group (SID of the created user) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Subject > Logon ID: Session ID of the user who executed the process Member > Account Name: Name of the account that was added to the global group (CN=[Created User Name],CN=[OU],DC=[DN]) Group > Group Name: Name of the group to which a member was added (Domain Admins)
	Security	4737	Security Group Management	A security-enabled global group was changed. Changed Attribute > SID History: Changed history of the SID (-) Group > Security ID: Changed SID of the group (SID of the domain administrator group) Group > Group Domain: Changed domain to which the group belongs (Domain) Subject > Account Name: Name of the account that executed the tool (administrator) Subject > Account Domain: Domain to which the account belongs (domain) Additional Information > Privileges: Changed privileges of the group (-) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Changed Attribute > SAM Account Name: Changed name of the SAM account (-) Subject > Logon ID: Session ID of the user who executed the process Group > Group Name: Changed name of the group (Domain Admins)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
14	Security	4634	Logoff	An account was logged off. Logon Type: Logon path, method, etc. (3=Network) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain]) Subject > Logon ID: Session ID of the user who executed the authentication
15	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (System) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID (4) User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (high port) SourcePort: Source port number (445) SourceHostname: Source host name (Domain Controller host name) SourceIp: Source IP address (Domain Controller IP address)
15	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (high port) Network Information > Source Port: Source port number (445) Network Information > Destination Address: Destination IP address (source host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (System) Network Information > Direction: Communication direction (inbound) Network Information > Source Address: Source IP address (Domain Controller) Application Information > Process ID: Process ID
16	Security	4672	Special Logon	Privileges assigned to a new logon. Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Subject > Logon ID: Session ID of the user who executed the process Subject > Account Domain: Domain to which the account belongs (domain) Subject > Account Name: Name of the account that executed the tool (administrator)
17	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-) New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) Network Information > Source Port: Source port number New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain]) Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon Detailed Authentication Information > Key Length: Length of the key used for the authentication (0) Process Information > Process Name: Path to the executable file Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos) Network Information > Source Network Address: IP address that requested the logon Subject > Logon ID: Session ID of the user who executed the authentication
18	Security	5140	File Sharing	A network share object was accessed. Network Information > Source Port: Source port number (high port) Shared Information > Share Path: Shared path Network Information > Source/Source Port: Execution source host/Port number Access Request Information > Access: Requested privileges (ReadData) Shared Information > Share Name: Share name used (\*\IPC$) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain]) Network Information > Source Address: Source IP address (source host IP address) Subject > Logon ID: Session ID of the user who executed the process
18	Security	5145	Detailed File Share	A network share object was checked to see whether the client can be granted the desired access. Network Information > Source Port: Source port number (high port) Network Information > Object Type: Type of the created object (File) Shared Information > Share Path: Shared path Access Request Information > Access: Requested privilege Shared Information > Share Name: Share name (\*\IPC$) Network Information > Source Address/Source Port: Source IP address/Port number Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Shared Information > Relative Target Name: Relative target name from the share path (samr) Network Information > Source Address: Source IP address (source host IP address) Subject > Logon ID: Session ID of the user who executed the process
19	Security	4661	SAM	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Audit Success: Success or failure (access successful) Object > Object Name: Target object name (DC=[DN]) Subject > Account Name: Name of the account that executed the tool (administrator) Access Request Information > Access: Requested privilege (DELETE) Object > Object Server: SecurityAccount Manager (Security Account Manager) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Object > Object Type: Target category (SAM_DOMAIN) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4661	SAM	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Audit Success: Success or failure (access successful) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target object name (CN=Builtin,DC=[DN]) Access Request Information > Access: Requested privilege (DELETE) Object > Object Server: SecurityAccount Manager (Security Account Manager) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe) Object > Object Type: Target category (SAM_DOMAIN) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
20	Security	5145	Detailed File Share	A network share object was checked to see whether the client can be granted the desired access. Network Information > Source Port: Source port number (high port) Network Information > Object Type: Type of the created object (File) Shared Information > Share Path: Shared path Access Request Information > Access: Requested privilege Shared Information > Share Name: Share name (\*\IPC$) Network Information > Source Address/Source Port: Source IP address/Port number Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Shared Information > Relative Target Name: Relative target name from the share path (samr) Network Information > Source Address: Source IP address (source host IP address) Subject > Logon ID: Session ID of the user who executed the process
20	Security	4726	User Account Management	A user account was deleted. Subject > Account Name: Name of the account that executed the tool (administrator) Target Account > Account Domain: Domain that the account for which an attempt was made to reset the password belongs to (Domain) Subject > Account Domain: Domain to which the account belongs (domain) Target Account > Account Name: Name of the account for which an attempt was made to reset the password (deleted user name) Subject > Security ID: SID of the user who executed the tool (SID of the administrator) Target Account > Security ID: SID of the user for which an attempt was made to reset the password (SID of the general user) Subject > Logon ID: Session ID of the user who executed the process
21	Security	4634	Logoff	An account was logged off. Logon Type: Logon path, method, etc. (3=Network) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain]) Subject > Logon ID: Session ID of the user who executed the authentication

- Packet Capture

#	Process	Source Host	Source Port Number	Destination Host	Destination Port Number	Protocol/Application
"net group /add": 16	LookupNames request (the account name to be added to this packet is written as "Names")	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net group /add": 16	LookupNames response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net user /add": 8	Bind: call_id: 2, Fragment: Single, 3 context items: SAMR V1.0 (32bit NDR), SAMR V1.0 (64bit NDR), SAMR V1.0 (6cb71c2c	[Source Host]	[High Port]	[Destination Host]	445	DCERPC
"net user /add": 8	Write Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /add": 9	Read Request Len:1024 Off:0 File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net user /add": 9	Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK	[Destination Host]	445	[Source Host]	[High Port]	DCERPC
"net user /add": 2	Session Setup Request	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net user /add": 2	Session Setup Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /add": 3	Tree Connect Request Tree: \\[Domain Controller]\IPC$	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net user /add": 3	Tree Connect Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /add": 1	Negotiate Protocol Request	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net user /add": 1	Negotiate Protocol Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /add": 6	Create Request File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net user /add": 6	Create Response File: samr	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /add": 7	GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net user /add": 7	GetInfo Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /add": 4	Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net user /add": 4	Ioctl Response FSCTL_VALIDATE_NEGOTIATE_INFO	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /add": 5	Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net user /add": 5	Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 19	Close Request File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net group /add": 19	Close Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 18	Close request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net group /add": 18	Close response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net user /delete": 3	Create Request File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Create Response File: samr	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	GetInfo Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	Bind: call_id: 2, Fragment: Single, 3 context items: SAMR V1.0 (32bit NDR), SAMR V1.0 (64bit NDR), SAMR V1.0 (6cb71c2c	[Source Host]	[High Port]	[Destination Host]	445	DCERPC
	Write Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	Read Request Len:1024 Off:0 File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK	[Destination Host]	445	[Source Host]	[High Port]	DCERPC
	Connect5 request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Connect5 response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	EnumDomains request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	EnumDomains response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	LookupDomain request,	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	LookupDomain response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	OpenDomain request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	OpenDomain response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	OpenDomain request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	OpenDomain response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	LookupNames request (the account name to be deleted from this packet is written as "Names")	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	LookupNames response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	OpenUser request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	OpenUser response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	RemoveMemberFromForeignDomain request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	RemoveMemberFromForeignDomain response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	DeleteUser request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Ioctl Response, Error: STATUS_PENDING	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	DeleteUser response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	Close request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Close response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	Close request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Close response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	Close request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Close response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	Close Request File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Close Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 20	Tree Disconnect Request	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net group /add": 20	Tree Disconnect Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 21	Session Logoff Request	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net group /add": 21	Session Logoff Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /delete": 2	Create Request File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Create Response File: samr	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	GetInfo Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	Bind: call_id: 2, Fragment: Single, 3 context items: SAMR V1.0 (32bit NDR), SAMR V1.0 (64bit NDR), SAMR V1.0 (6cb71c2c	[Source Host]	[High Port]	[Destination Host]	445	DCERPC
	Write Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	Read Request Len:1024 Off:0 File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK	[Destination Host]	445	[Source Host]	[High Port]	DCERPC
	Connect5 request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Connect5 response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	EnumDomains request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	EnumDomains response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	LookupDomain request,	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	LookupDomain response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	OpenDomain request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	OpenDomain response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	OpenDomain request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	OpenDomain response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	LookupNames request (the account name to be deleted from this packet is written as "Names")	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	LookupNames response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	OpenUser request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	OpenUser response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	QueryUserInfo request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	QueryUserInfo response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	QuerySecurity request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	QuerySecurity response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	GetGroupsForUser request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	GetGroupsForUser response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	GetAliasMembership request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	GetAliasMembership response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	Close request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Close response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	Close request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Close response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	Close request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Close response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	Close request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Close response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
	Close Request File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Close Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /add": 21	Session Logoff Request	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net user /add": 21	Session Logoff Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /add": 20	Tree Disconnect Request	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net user /add": 20	Tree Disconnect Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /delete": 4	Tree Disconnect Request	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Tree Disconnect Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	Session Logoff Request	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Session Logoff Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 9	Read Request Len:1024 Off:0 File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net group /add": 9	Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK	[Destination Host]	445	[Source Host]	[High Port]	DCERPC
"net group /add": 8	Bind: call_id: 2, Fragment: Single, 3 context items: SAMR V1.0 (32bit NDR), SAMR V1.0 (64bit NDR), SAMR V1.0 (6cb71c2c	[Source Host]	[High Port]	[Destination Host]	445	DCERPC
"net group /add": 8	Write Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /delete": 1	Negotiate Protocol Request	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Negotiate Protocol Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	Session Setup Request	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Session Setup Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	Tree Connect Request Tree: \\[Domain Controller]\IPC$	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Tree Connect Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Ioctl Response FSCTL_VALIDATE_NEGOTIATE_INFO	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO	[Source Host]	[High Port]	[Destination Host]	445	SMB2
	Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 5	Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net group /add": 5	Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 4	Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net group /add": 4	Ioctl Response FSCTL_VALIDATE_NEGOTIATE_INFO	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 7	GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net group /add": 7	GetInfo Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 6	Create Request File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net group /add": 6	Create Response File: samr	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 1	Negotiate Protocol Request	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net group /add": 1	Negotiate Protocol Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 3	Tree Connect Request Tree: \\[Domain Controller]\IPC$	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net group /add": 3	Tree Connect Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 2	Session Setup Request	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net group /add": 2	Session Setup Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 11	EnumDomains request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net group /add": 11	EnumDomains response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net group /add": 10	Connect5 request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net group /add": 10	Connect5 response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net group /add": 13	OpenDomain request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net group /add": 13	OpenDomain response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net group /add": 12	LookupDomain request,	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net group /add": 12	LookupDomain response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net group /add": 15	OpenGroup request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net group /add": 15	OpenGroup response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net group /add": 14	LookupNames request (the group name to be added to this packet is written as "Names")	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net group /add": 14	LookupNames response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net user /add": 18	Close request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net user /add": 18	Close response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net user /add": 19	Close Request File: samr	[Source Host]	[High Port]	[Destination Host]	445	SMB2
"net user /add": 19	Close Response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net group /add": 17	AddGroupMember request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Ioctl Response, Error: STATUS_PENDING	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	AddGroupMember response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net user /add": 10	Connect5 request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net user /add": 10	Connect5 response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net user /add": 11	EnumDomains request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net user /add": 11	EnumDomains response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net user /add": 12	LookupDomain request,	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net user /add": 12	LookupDomain response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net user /add": 13	OpenDomain request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net user /add": 13	OpenDomain response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net user /add": 14	CreateUser2 request, (In the packet, the account name to be added is written as "Account Name".)	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Ioctl Response, Error: STATUS_PENDING	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	CreateUser2 response	[Destination Host]	445	[Source Host]	[High Port]	SMB2
"net user /add": 15	QueryUserInfo request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net user /add": 15	QueryUserInfo response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net user /add": 16	GetUserPwInfo request	[Source Host]	[High Port]	[Destination Host]	445	SAMR
"net user /add": 16	GetUserPwInfo response	[Destination Host]	445	[Source Host]	[High Port]	SAMR
"net user /add": 17	SetUserInfo2 request[Malformed Packet] (In the packet, the password of the added account is sent, though it lacks readability.)	[Source Host]	[High Port]	[Destination Host]	445	SAMR
	Ioctl Response, Error: STATUS_PENDING	[Destination Host]	445	[Source Host]	[High Port]	SMB2
	SetUserInfo2 response	[Destination Host]	445	[Source Host]	[High Port]	SAMR

net Command (net user/group)

- Table of Contents

- Tool Overview

- Tool Operation Overview

- Information Acquired from Log

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

Prefetch

- Domain Controller

Event log

- Details: Source Host

- Event Log

- USN Journal

- MFT

- Prefetch

- Details: Destination Host

- Event Log

- Packet Capture

- Remarks