Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ** Alert 1586178066.8931332: mail - local,syslog,sshd,
- 2020 Apr 06 13:01:06 (serv-test-windows-1) 172.17.1.1->EventChannel
- Rule: 300001 (level 12) -> 'Wazuh CDB IP test rule'
- {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"2","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-04-06T13:01:05.761372600Z","eventRecordID":"32978","processID":"540","threadID":"1948","channel":"Security","computer":"serv-test-windows-1","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tSERV-TEST-WINDO$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nLogon Information:\r\n\tLogon Type:\t\t5\r\n\tRestricted Admin Mode:\t-\r\n\tVirtual Account:\t\tNo\r\n\tElevated Token:\t\tYes\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E7\r\n\tLinked Logon ID:\t\t0x0\r\n\tNetwork Account Name:\t-\r\n\tNetwork Account Domain:\t-\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x214\r\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\t\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tAdvapi \r\n\tAuthentication Package:\tNegotiate\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"SERV-TEST-WINDO$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","targetUserSid":"S-1-5-18","targetUserName":"SYSTEM","targetDomainName":"NT AUTHORITY","targetLogonId":"0x3e7","logonType":"5","logonProcessName":"Advapi","authenticationPackageName":"Negotiate","logonGuid":"{00000000-0000-0000-0000-000000000000}","keyLength":"0","processId":"0x214","processName":"C:\\\\Windows\\\\System32\\\\services.exe","impersonationLevel":"%%1833","virtualAccount":"%%1843","targetLinkedLogonId":"0x0","elevatedToken":"%%1842"}}}
- win.system.providerName: Microsoft-Windows-Security-Auditing
- win.system.providerGuid: {54849625-5478-4994-A5BA-3E3B0328C30D}
- win.system.eventID: 4624
- win.system.version: 2
- win.system.level: 0
- win.system.task: 12544
- win.system.opcode: 0
- win.system.keywords: 0x8020000000000000
- win.system.systemTime: 2020-04-06T13:01:05.761372600Z
- win.system.eventRecordID: 32978
- win.system.processID: 540
- win.system.threadID: 1948
- win.system.channel: Security
- win.system.computer: serv-test-windows-1
- win.system.severityValue: AUDIT_SUCCESS
- win.system.message: "An account was successfully logged on.
- Subject:
- Security ID: S-1-5-18
- Account Name: SERV-TEST-WINDO$
- Account Domain: WORKGROUP
- Logon ID: 0x3E7
- Logon Information:
- Logon Type: 5
- Restricted Admin Mode: -
- Virtual Account: No
- Elevated Token: Yes
- Impersonation Level: Impersonation
- New Logon:
- Security ID: S-1-5-18
- Account Name: SYSTEM
- Account Domain: NT AUTHORITY
- Logon ID: 0x3E7
- Linked Logon ID: 0x0
- Network Account Name: -
- Network Account Domain: -
- Logon GUID: {00000000-0000-0000-0000-000000000000}
- Process Information:
- Process ID: 0x214
- Process Name: C:\Windows\System32\services.exe
- Network Information:
- Workstation Name:
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- Logon Process: Advapi
- Authentication Package: Negotiate
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon session is created. It is generated on the computer that was accessed.
- The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
- The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
- The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
- The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The impersonation level field indicates the extent to which a process in the logon session can impersonate.
- The authentication information fields provide detailed information about this specific logon request.
- - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
- win.eventdata.subjectUserSid: S-1-5-18
- win.eventdata.subjectUserName: SERV-TEST-WINDO$
- win.eventdata.subjectDomainName: WORKGROUP
- win.eventdata.subjectLogonId: 0x3e7
- win.eventdata.targetUserSid: S-1-5-18
- win.eventdata.targetUserName: SYSTEM
- win.eventdata.targetDomainName: NT AUTHORITY
- win.eventdata.targetLogonId: 0x3e7
- win.eventdata.logonType: 5
- win.eventdata.logonProcessName: Advapi
- win.eventdata.authenticationPackageName: Negotiate
- win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000}
- win.eventdata.keyLength: 0
- win.eventdata.processId: 0x214
- win.eventdata.processName: C:\\Windows\\System32\\services.exe
- win.eventdata.impersonationLevel: %%1833
- win.eventdata.virtualAccount: %%1843
- win.eventdata.targetLinkedLogonId: 0x0
- win.eventdata.elevatedToken: %%1842
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement