├── LogHunter.py ├── README.md ├── events.log.example └── find.sh /LogHunter.py: -------------------------------------------------------------------------------- 1 | # LogHunter.py 2 | # 3 | # Description: 4 | # Find user session's by parsing event logs 5 | # 6 | # Author: 7 | # Michael Zhmaylo (MzHmO) 8 | 9 | import logging 10 | import argparse 11 | import sys 12 | import struct 13 | from queue import Queue 14 | from threading import Thread 15 | from datetime import datetime, timezone 16 | from impacket.examples.utils import parse_target 17 | from impacket.dcerpc.v5 import even, transport 18 | from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_LEVEL_PKT_PRIVACY 19 | 20 | 21 | EVENTLOG_SEEK_READ = 0x00000002 22 | EVENTLOG_FORWARDS_READ = 0x00000004 23 | MAX_BATCH_BUFF = 0x7ffff 24 | 25 | event_descriptions = { 26 | 4624: "An account was successfully logged on.", 27 | 4768: "A Kerberos authentication ticket (TGT) was requested.", 28 | 4672: "Special privileges assigned to new logon.", 29 | 4769: "A Kerberos service ticket (TGS) was requested." 30 | } 31 | 32 | event_4624_fields = [ 33 | "SubjectUserSid", "SubjectUserName", "SubjectDomainName", "SubjectLogonId", 34 | "TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", 35 | "LogonType", "LogonProcessName", "AuthenticationPackageName", "WorkstationName", 36 | "LogonGuid", "TransmittedServices", "LmPackageName", "KeyLength", "ProcessId", 37 | "ProcessName", "IpAddress", "IpPort", "ImpersonationLevel", "RestrictedAdminMode", 38 | "TargetOutboundUserName", "TargetOutboundDomainName", "VirtualAccount", 39 | "TargetLinkedLogonId", "ElevatedToken" 40 | ] 41 | 42 | event_4672_fields = [ 43 | "SubjectUserSid", "SubjectUserName", "SubjectDomainName","SubjectLogonId", "PrivilegeList" 44 | ] 45 | 46 | event_4768_fields = [ 47 | "TargetUserName", "TargetDomainName", "TargetSid", "ServiceName", 48 | "ServiceSid", "TicketOptions", "Status", "TicketEncryptionType", 49 | "PreAuthType", "IpAddress", "IpPort", "CertIssuerName", 50 | "CertSerialNumber", "CertThumbprint" 51 | ] 52 | 53 | event_4769_fiels = [ 54 | "TargetUserName", "TargetDomainName", "ServiceName", 55 | "ServiceSid", "TicketOptions", "TicketEncryptionType", 56 | "IpAddress", "IpPort", "Status", "LogonGuid", "TransmittedServices" 57 | ] 58 | 59 | event_fields_mapping = { 60 | 4624: event_4624_fields, 61 | 4672: event_4672_fields, 62 | 4768: event_4768_fields, 63 | 4769: event_4769_fiels 64 | } 65 | 66 | class DebugHelper: 67 | @staticmethod 68 | def PrintClassInstanceAttributes(instance): 69 | attributes = [attribute for attribute in dir(instance) if not attribute.startswith('__')] 70 | 71 | for attr in attributes: 72 | value = getattr(instance, attr) 73 | logging.debug((f"{attr}: {value}")) 74 | 75 | class Parser: 76 | @staticmethod 77 | def decode_string(data_bytes, offset): 78 | end = data_bytes.find(b'\x00\x00\x00', offset) 79 | decoded_string = data_bytes[offset:end].decode('utf-8') 80 | return decoded_string, end + 1 81 | 82 | @staticmethod 83 | def handle_padding(offset): 84 | return offset + (4 - (offset % 4)) % 4 85 | 86 | @staticmethod 87 | def decode_strings(data_bytes, record): 88 | strings = [] 89 | offset = record['StringOffset'] 90 | for _ in range(record['NumStrings']): 91 | end = data_bytes.find(b'\x00\x00\x00', offset) 92 | if end == -1: 93 | break 94 | 95 | decoded_string = data_bytes[offset:end].decode('utf-8') 96 | offset = end + 1 97 | strings.append(decoded_string) 98 | 99 | return strings 100 | 101 | @staticmethod 102 | def extract_username(data_string): 103 | username = data_string 104 | username_position = data_string.rfind('\x04\x00') 105 | 106 | if username_position == -1: 107 | username_position = data_string.rfind('\x04@\x04@') 108 | 109 | if username_position == -1: 110 | username_position = data_string.rfind('\x04@') 111 | 112 | data_bytes = bytes(data_string, "latin1") 113 | 114 | try: 115 | if (username_position != -1): 116 | username = data_bytes[:username_position + 3].decode('utf-16') + "@" + data_bytes[username_position:].decode('utf-8') 117 | 118 | except Exception as e: 119 | logging.debug("Failed to parse username") 120 | return username 121 | 122 | class MsEvenHandler: 123 | def __init__(self, username='', password='', domain='', hashes=None, aesKey=None, doKerberos=False, kdcHost=None): 124 | self.__username = username 125 | self.__password = password 126 | self.__domain = domain 127 | self.__lmhash = '' 128 | self.__nthash = '' 129 | self.__aesKey = aesKey 130 | self.__doKerberos = doKerberos 131 | self.__kdcHost = kdcHost 132 | self.__dce = None 133 | 134 | if hashes is not None: 135 | self.__lmhash, self.__nthash = hashes.split(':') 136 | 137 | 138 | def bound(self, address): 139 | stringbinding = r'ncacn_np:%s[\pipe\eventlog]' % address 140 | # stringbinding = r'82273FDC-E32A-18C3-3F78-827929DC23EA@ncacn_np:%s[\pipe\eventlog]' % address 141 | logging.debug(rf"Trying to connect on {address}\pipe\eventlog, stringbinding: {stringbinding} on user {self.__username}") 142 | 143 | rpctransport = transport.DCERPCTransportFactory(stringbinding) 144 | 145 | rpctransport.set_credentials(username=self.__username, 146 | password=self.__password, 147 | domain=self.__domain, 148 | lmhash=self.__lmhash, 149 | nthash=self.__nthash, 150 | aesKey=self.__aesKey, 151 | ) 152 | 153 | self.__dce = rpctransport.get_dce_rpc() 154 | 155 | if (self.__doKerberos): 156 | rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost) 157 | 158 | self.__dce.connect() 159 | 160 | self.__dce.bind(even.MSRPC_UUID_EVEN) 161 | logging.debug("Successfully bound to MS-EVEN") 162 | 163 | return self.__dce 164 | 165 | 166 | 167 | @staticmethod 168 | def process_logs(q): 169 | while True: 170 | try: 171 | data_bytes = q.get() 172 | if data_bytes is None: 173 | continue 174 | 175 | format_string = 'IIIIIIHHHHIIIIII' 176 | current_offset = struct.calcsize(format_string) 177 | eventlogrecord = struct.unpack_from(format_string, data_bytes, 0) 178 | 179 | fields = [ 180 | 'Length', 'Reserved', 'RecordNumber', 'TimeGenerated', 181 | 'TimeWritten', 'EventID', 'EventType', 'NumStrings', 182 | 'EventCategory', 'ReservedFlags', 'ClosingRecordNumber', 183 | 'StringOffset', 'UserSidLength', 'UserSidOffset', 'DataLength', 'DataOffset' 184 | ] 185 | 186 | record = dict(zip(fields, eventlogrecord)) 187 | 188 | if record['EventID'] not in [4624, 4768, 4672, 4769]: 189 | continue 190 | 191 | logging.info("------------------") 192 | logging.info(f"[NEW EVENT FOUND]") 193 | logging.info(f"EventID: {record['EventID']}") 194 | record['Description'] = event_descriptions[record['EventID']] 195 | logging.info(f"Description: {record['Description']}") 196 | 197 | time_generated = datetime.fromtimestamp(record['TimeGenerated'], timezone.utc).strftime('%Y-%m-%d %H:%M:%S') 198 | 199 | logging.info(f"Time Generated: {time_generated}") 200 | 201 | 202 | current_offset = current_offset 203 | record['SourceName'], current_offset = Parser.decode_string(data_bytes, current_offset) 204 | sourcename_escaped = record['SourceName'].replace('\x00', '') 205 | logging.info(f"SourceName: {sourcename_escaped}") 206 | 207 | 208 | record['ComputerName'], current_offset = Parser.decode_string(data_bytes, current_offset) 209 | computername_escaped = record['ComputerName'].replace('\x00', '') 210 | logging.info(f"ComputerName: {computername_escaped}") 211 | 212 | current_offset = Parser.handle_padding(current_offset) 213 | if record['UserSidLength'] > 0: 214 | record['UserSid'] = data_bytes[record['UserSidOffset']:record['UserSidOffset'] + record['UserSidLength']] 215 | else: 216 | record['UserSid'] = None 217 | logging.info(f"UserSid: {record['UserSid']}") 218 | 219 | record['Strings'] = Parser.decode_strings(data_bytes, record) 220 | 221 | string_names = event_fields_mapping[record['EventID']] 222 | 223 | i = 0 224 | j = 0 225 | 226 | while i < len(string_names): 227 | if (j > 1 and record['Strings'][j - 1] == record[field_name] and i != j): 228 | if (record['EventID'] not in [4768]): 229 | j += 1 230 | 231 | field_name = string_names[i] 232 | s = record['Strings'][j] 233 | 234 | if (field_name in ['SubjectUserName', 'TargetUserName']): 235 | record[field_name] = Parser.extract_username(s) 236 | i += 1 237 | 238 | elif (field_name == 'SubjectDomainName'): 239 | try: 240 | record[field_name] = record['SubjectUserName'].rsplit("@", 1)[1] 241 | except: 242 | record[field_name] = s 243 | 244 | i += 1 245 | j += 1 246 | 247 | elif (field_name == 'TargetDomainName'): 248 | try: 249 | record[field_name] = record['TargetUserName'].rsplit("@", 1)[1] 250 | except: 251 | record[field_name] = s 252 | 253 | i += 1 254 | j += 1 255 | 256 | elif (field_name == "ServiceName"): 257 | 258 | if (record['EventID'] == 4769): 259 | if (i != j): 260 | i = j 261 | 262 | s = record['Strings'][j] 263 | record[field_name] = s 264 | i += 1 265 | j += 1 266 | 267 | if (record['EventID'] == 4768): 268 | record[field_name] = "krbtgt" 269 | i = max(i, j) + 1 270 | j = i - 1 271 | 272 | 273 | else: 274 | record[field_name] = s 275 | i += 1 276 | j += 1 277 | 278 | field_name_escaped = field_name.replace('\x00', '') 279 | record_name_value = record[field_name].replace('\x00', '') 280 | logging.info(f"{field_name_escaped}: {record_name_value}") 281 | 282 | if record['DataLength'] > 0: 283 | record['Data'] = data_bytes[record['DataOffset']:record['DataOffset'] + record['DataLength']] 284 | else: 285 | record['Data'] = None 286 | 287 | length2_format = 'I' 288 | length2 = struct.unpack_from(length2_format, data_bytes, record['Length'] - struct.calcsize(length2_format))[0] 289 | record['Length2'] = length2 290 | 291 | logging.info("------------------") 292 | 293 | finally: 294 | q.task_done() 295 | 296 | @staticmethod 297 | def read_logs(q, dce, hLogHandle, recordscount): 298 | record_offset = recordscount 299 | while record_offset > 1: 300 | response = even.hElfrReadELW( 301 | dce=dce, 302 | logHandle=hLogHandle, 303 | readFlags=EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ, 304 | recordOffset=record_offset, 305 | numberOfBytesToRead=MAX_BATCH_BUFF 306 | ) 307 | 308 | data_bytes = b''.join(response['Buffer']) 309 | 310 | q.put(data_bytes) 311 | 312 | record_offset -= 1 313 | 314 | q.put(None) 315 | 316 | 317 | if __name__ == "__main__": 318 | print("--------------------------------") 319 | print("[+] LogHunter.py - a tool for finding user sessions by analyzing event log files through RPC (MS-EVEN) [+]") 320 | print("--------------------------------") 321 | 322 | parser = argparse.ArgumentParser(add_help=True, description="Trying to find user session behalf of 4624, 4768, 4769 and 4672 events " 323 | "using MS-EVEN.") 324 | 325 | parser.add_argument('target', action='store', help='[[domain/]username[:password]@]') 326 | parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON') 327 | 328 | group = parser.add_argument_group('authentication') 329 | 330 | group.add_argument('-hashes', action="store", metavar="LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') 331 | group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)') 332 | group.add_argument('-k', action="store_true", 333 | help='Use Kerberos authentication. Grabs credentials from ccache file ' 334 | '(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ' 335 | 'ones specified in the command line') 336 | group.add_argument('-aesKey', action="store", metavar="hex key", help='AES key to use for Kerberos Authentication ' 337 | '(128 or 256 bits)') 338 | group.add_argument('-dc-ip', action='store', metavar="ip address", help='IP Address of the domain controller. If ' 339 | 'ommited it use the domain part (FQDN) specified in the target parameter') 340 | group.add_argument('-outfile', action='store', metavar="output file", help='file with information about sessions', default="events.log") 341 | 342 | if len(sys.argv) == 1: 343 | parser.print_help() 344 | sys.exit(1) 345 | 346 | options = parser.parse_args() 347 | 348 | if options.debug is True: 349 | logging.basicConfig(level=logging.DEBUG, format='%(asctime)s - %(levelname)s - %(message)s', 350 | handlers=[ 351 | logging.FileHandler(options.outfile), 352 | logging.StreamHandler() 353 | ]) 354 | else: 355 | logging.basicConfig(level=logging.INFO, format='%(message)s', 356 | handlers=[ 357 | logging.FileHandler(options.outfile), 358 | logging.StreamHandler() 359 | ]) 360 | 361 | if options.aesKey is not None: 362 | options.k = True 363 | 364 | domain, username, password, address = parse_target(options.target) 365 | 366 | logHunter = MsEvenHandler(username=username, password=password, domain=domain, 367 | hashes=options.hashes, aesKey=options.aesKey, doKerberos=options.k, kdcHost=options.dc_ip) 368 | 369 | DebugHelper.PrintClassInstanceAttributes(logHunter) 370 | 371 | try: 372 | recordscount = 0 373 | oldestrecord = 0 374 | 375 | dce = logHunter.bound(address=address) 376 | 377 | response = even.hElfrOpenELW(dce=dce, moduleName="Security") 378 | 379 | hLogHandle = response['LogHandle'] 380 | 381 | response = even.hElfrNumberOfRecords(dce=dce, logHandle=hLogHandle) 382 | recordscount = response['NumberOfRecords'] 383 | logging.debug(f"Found {recordscount} records") 384 | 385 | log_queue = Queue() 386 | processing_thread = Thread(target=MsEvenHandler.process_logs, args=(log_queue,)) 387 | reader_thread = Thread(target=MsEvenHandler.read_logs,args=(log_queue, dce, hLogHandle, recordscount)) 388 | 389 | processing_thread.start() 390 | reader_thread.start() 391 | reader_thread.join() 392 | processing_thread.join() 393 | 394 | except Exception as e: 395 | print(f"An error occured: {str(e)}") 396 | 397 | finally: 398 | even.hElfrCloseEL(dce=dce, logHandle=hLogHandle) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # LogHunter 2 | Opsec tool for finding user sessions by analyzing event log files through RPC (MS-EVEN). 3 | 4 | I was once doing a very complex project where there were over 1000 hosts in the infrastructure. I needed to detect the user session. Running Invoke-UserHunter would have been a huge mistake. That's when I came up with the idea that we could extract all the information we needed from Event Logs. That's how the LogHunter tool came into being. The tool is able to extract the following events via MS-EVEN protocol: 5 | 4624: “An account was successfully logged on.”, 6 | 4768: “A Kerberos authentication ticket (TGT) was requested.”, 7 | 4672: “Special privileges assigned to new logon.”, 8 | 4769: “A Kerberos service ticket (TGS) was requested.”. 9 | 10 | These events will give us information about which computer the target user is on. Then hijack that computer and take control of the user. 11 | 12 | # Requirements 13 | 14 | You only have to install impacket. Other modules (e.g. logging, argparse, sys, struct, Queue, Thread, datetime) are standard Python libraries and are installed with Python. 15 | 16 | ```shell 17 | pip install impacket 18 | ``` 19 | 20 | # Usage 21 | 22 | See demo video at the end of the README.md :) 23 | 24 | To use the tool, all you need to do is pass credentials as you would to a regular impacket tool: 25 | ```shell 26 | python LogHunter.py OFFICE/Administrator:lolkekcheb123!@dc01.office.pwn 27 | ``` 28 | ![изображение](https://github.com/CICADA8-Research/LogHunter/assets/92790655/e5d39d43-4cf2-4d65-9009-9bed3fc5ad98) 29 | 30 | 31 | After that, the tool will start receiving events from the target computer (in this case, from dc01.office.pwn), writing them to the `events.log` file (can be overridden with the -outfile parameter). You can then search for the file using find.sh. You can search by user name, by EventID, or by computer name - whatever you prefer. 32 | 33 | ```shell 34 | ./find.sh -file events.log -searchkeyword Administrator 35 | ``` 36 | ![изображение](https://github.com/CICADA8-Research/LogHunter/assets/92790655/5f6c09ec-c791-41ba-a57a-2d5c7d00151b) 37 | 38 | 39 | # Demo 40 | 41 | Check Here! 42 | 43 | https://www.youtube.com/watch?v=0fjSTbyD9F0 44 | -------------------------------------------------------------------------------- /events.log.example: -------------------------------------------------------------------------------- 1 | ------------------ 2 | [NEW EVENT FOUND] 3 | EventID: 4624 4 | Description: An account was successfully logged on. 5 | Time Generated: 2024-06-11 19:47:22 6 | SourceName: Microsoft-Windows-Security-Auditing 7 | ComputerName: dc01.office.pwn 8 | UserSid: None 9 | SubjectUserSid: S-1-0-0 10 | SubjectUserName: - 11 | SubjectDomainName: - 12 | SubjectLogonId: 0x0 13 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-1103 14 | TargetUserName: dcom 15 | TargetDomainName: dcom 16 | TargetLogonId: 0x3477ae 17 | LogonType: 3 18 | LogonProcessName: Kerberos 19 | AuthenticationPackageName: Kerberos 20 | WorkstationName: 21 | LogonGuid: 22 | TransmittedServices: {E7D6B19D-3E05-8B6C-25F1-0C7C6A014EF0} 23 | LmPackageName: - 24 | KeyLength: - 25 | ProcessId: 0 26 | ProcessName: 0x0 27 | IpAddress: - 28 | IpPort: 172.16.0.4 29 | ImpersonationLevel: 61639 30 | RestrictedAdminMode: %%1833 31 | TargetOutboundUserName: - 32 | TargetOutboundDomainName: - 33 | VirtualAccount: - 34 | TargetLinkedLogonId: %%1843 35 | ElevatedToken: 0x0 36 | ------------------ 37 | ------------------ 38 | [NEW EVENT FOUND] 39 | EventID: 4672 40 | Description: Special privileges assigned to new logon. 41 | Time Generated: 2024-06-11 19:47:22 42 | SourceName: Microsoft-Windows-Security-Auditing 43 | ComputerName: dc01.office.pwn 44 | UserSid: None 45 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-1103 46 | SubjectUserName: dcom 47 | SubjectDomainName: dcom 48 | SubjectLogonId: 0x3477ae 49 | PrivilegeList: SeSecurityPrivilege 50 | SeBackupPrivilege 51 | SeRestorePrivilege 52 | SeTakeOwnershipPrivilege 53 | SeDebugPrivilege 54 | SeSystemEnvironmentPrivilege 55 | SeLoadDriverPrivilege 56 | SeImpersonatePrivilege 57 | SeDelegateSessionUserImpersonatePrivilege 58 | SeEnableDelegationPrivilege 59 | ------------------ 60 | ------------------ 61 | [NEW EVENT FOUND] 62 | EventID: 4624 63 | Description: An account was successfully logged on. 64 | Time Generated: 2024-06-11 19:47:22 65 | SourceName: Microsoft-Windows-Security-Auditing 66 | ComputerName: dc01.office.pwn 67 | UserSid: None 68 | SubjectUserSid: S-1-0-0 69 | SubjectUserName: - 70 | SubjectDomainName: - 71 | SubjectLogonId: 0x0 72 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-1103 73 | TargetUserName: dcom 74 | TargetDomainName: dcom 75 | TargetLogonId: 0x34770d 76 | LogonType: 3 77 | LogonProcessName: Kerberos 78 | AuthenticationPackageName: Kerberos 79 | WorkstationName: 80 | LogonGuid: 81 | TransmittedServices: {E7D6B19D-3E05-8B6C-25F1-0C7C6A014EF0} 82 | LmPackageName: - 83 | KeyLength: - 84 | ProcessId: 0 85 | ProcessName: 0x0 86 | IpAddress: - 87 | IpPort: 172.16.0.4 88 | ImpersonationLevel: 61637 89 | RestrictedAdminMode: %%1833 90 | TargetOutboundUserName: - 91 | TargetOutboundDomainName: - 92 | VirtualAccount: - 93 | TargetLinkedLogonId: %%1843 94 | ElevatedToken: 0x0 95 | ------------------ 96 | ------------------ 97 | [NEW EVENT FOUND] 98 | EventID: 4672 99 | Description: Special privileges assigned to new logon. 100 | Time Generated: 2024-06-11 19:47:22 101 | SourceName: Microsoft-Windows-Security-Auditing 102 | ComputerName: dc01.office.pwn 103 | UserSid: None 104 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-1103 105 | SubjectUserName: dcom 106 | SubjectDomainName: dcom 107 | SubjectLogonId: 0x34770d 108 | PrivilegeList: SeSecurityPrivilege 109 | SeBackupPrivilege 110 | SeRestorePrivilege 111 | SeTakeOwnershipPrivilege 112 | SeDebugPrivilege 113 | SeSystemEnvironmentPrivilege 114 | SeLoadDriverPrivilege 115 | SeImpersonatePrivilege 116 | SeDelegateSessionUserImpersonatePrivilege 117 | SeEnableDelegationPrivilege 118 | ------------------ 119 | ------------------ 120 | [NEW EVENT FOUND] 121 | EventID: 4769 122 | Description: A Kerberos service ticket (TGS) was requested. 123 | Time Generated: 2024-06-11 19:47:22 124 | SourceName: Microsoft-Windows-Security-Auditing 125 | ComputerName: dc01.office.pwn 126 | UserSid: None 127 | TargetUserName: dcom@OFFICE.PWN 128 | TargetDomainName: OFFICE.PWN 129 | ServiceName: OFFICE.PWN 130 | ServiceName: DC01$ 131 | ServiceSid: S-1-5-21-951999864-159825705-4220214313-1000 132 | TicketOptions: 0x40800000 133 | TicketEncryptionType: 0x12 134 | IpAddress: ::ffff:172.16.0.4 135 | IpPort: 61638 136 | Status: 0x0 137 | LogonGuid: {6753957F-4545-D801-355C-0DF31DB07ED9} 138 | TransmittedServices: - 139 | ------------------ 140 | ------------------ 141 | [NEW EVENT FOUND] 142 | EventID: 4624 143 | Description: An account was successfully logged on. 144 | Time Generated: 2024-06-11 19:47:22 145 | SourceName: Microsoft-Windows-Security-Auditing 146 | ComputerName: dc01.office.pwn 147 | UserSid: None 148 | SubjectUserSid: S-1-0-0 149 | SubjectUserName: - 150 | SubjectDomainName: - 151 | SubjectLogonId: 0x0 152 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-1103 153 | TargetUserName: dcom 154 | TargetDomainName: dcom 155 | TargetLogonId: 0x347661 156 | LogonType: 3 157 | LogonProcessName: Kerberos 158 | AuthenticationPackageName: Kerberos 159 | WorkstationName: 160 | LogonGuid: 161 | TransmittedServices: {E7D6B19D-3E05-8B6C-25F1-0C7C6A014EF0} 162 | LmPackageName: - 163 | KeyLength: - 164 | ProcessId: 0 165 | ProcessName: 0x0 166 | IpAddress: - 167 | IpPort: 172.16.0.4 168 | ImpersonationLevel: 61633 169 | RestrictedAdminMode: %%1833 170 | TargetOutboundUserName: - 171 | TargetOutboundDomainName: - 172 | VirtualAccount: - 173 | TargetLinkedLogonId: %%1843 174 | ElevatedToken: 0x0 175 | ------------------ 176 | ------------------ 177 | [NEW EVENT FOUND] 178 | EventID: 4672 179 | Description: Special privileges assigned to new logon. 180 | Time Generated: 2024-06-11 19:47:22 181 | SourceName: Microsoft-Windows-Security-Auditing 182 | ComputerName: dc01.office.pwn 183 | UserSid: None 184 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-1103 185 | SubjectUserName: dcom 186 | SubjectDomainName: dcom 187 | SubjectLogonId: 0x347661 188 | PrivilegeList: SeSecurityPrivilege 189 | SeBackupPrivilege 190 | SeRestorePrivilege 191 | SeTakeOwnershipPrivilege 192 | SeDebugPrivilege 193 | SeSystemEnvironmentPrivilege 194 | SeLoadDriverPrivilege 195 | SeImpersonatePrivilege 196 | SeDelegateSessionUserImpersonatePrivilege 197 | SeEnableDelegationPrivilege 198 | ------------------ 199 | ------------------ 200 | [NEW EVENT FOUND] 201 | EventID: 4769 202 | Description: A Kerberos service ticket (TGS) was requested. 203 | Time Generated: 2024-06-11 19:47:22 204 | SourceName: Microsoft-Windows-Security-Auditing 205 | ComputerName: dc01.office.pwn 206 | UserSid: None 207 | TargetUserName: dcom@OFFICE.PWN 208 | TargetDomainName: OFFICE.PWN 209 | ServiceName: OFFICE.PWN 210 | ServiceName: DC01$ 211 | ServiceSid: S-1-5-21-951999864-159825705-4220214313-1000 212 | TicketOptions: 0x40810000 213 | TicketEncryptionType: 0x12 214 | IpAddress: ::ffff:172.16.0.4 215 | IpPort: 61636 216 | Status: 0x0 217 | LogonGuid: {6753957F-4545-D801-355C-0DF31DB07ED9} 218 | TransmittedServices: - 219 | ------------------ 220 | ------------------ 221 | [NEW EVENT FOUND] 222 | EventID: 4768 223 | Description: A Kerberos authentication ticket (TGT) was requested. 224 | Time Generated: 2024-06-11 19:47:22 225 | SourceName: Microsoft-Windows-Security-Auditing 226 | ComputerName: dc01.office.pwn 227 | UserSid: None 228 | TargetUserName: dcom 229 | TargetDomainName: dcom 230 | TargetSid: OFFICE.PWN 231 | ServiceName: krbtgt 232 | ServiceSid: krbtgt 233 | TicketOptions: S-1-5-21-951999864-159825705-4220214313-502 234 | Status: 0x40810010 235 | TicketEncryptionType: 0x0 236 | PreAuthType: 0x12 237 | IpAddress: 2 238 | IpPort: ::ffff:172.16.0.4 239 | CertIssuerName: 61635 240 | CertSerialNumber: 241 | CertThumbprint: 242 | ------------------ 243 | ------------------ 244 | [NEW EVENT FOUND] 245 | EventID: 4768 246 | Description: A Kerberos authentication ticket (TGT) was requested. 247 | Time Generated: 2024-06-11 19:47:22 248 | SourceName: Microsoft-Windows-Security-Auditing 249 | ComputerName: dc01.office.pwn 250 | UserSid: None 251 | TargetUserName: dcom 252 | TargetDomainName: dcom 253 | TargetSid: OFFICE.PWN 254 | ServiceName: krbtgt 255 | ServiceSid: krbtgt 256 | TicketOptions: S-1-5-21-951999864-159825705-4220214313-502 257 | Status: 0x40810010 258 | TicketEncryptionType: 0x0 259 | PreAuthType: 0x12 260 | IpAddress: 2 261 | IpPort: ::ffff:172.16.0.4 262 | CertIssuerName: 61632 263 | CertSerialNumber: 264 | CertThumbprint: 265 | ------------------ 266 | ------------------ 267 | [NEW EVENT FOUND] 268 | EventID: 4769 269 | Description: A Kerberos service ticket (TGS) was requested. 270 | Time Generated: 2024-06-11 19:47:21 271 | SourceName: Microsoft-Windows-Security-Auditing 272 | ComputerName: dc01.office.pwn 273 | UserSid: None 274 | TargetUserName: dcom@OFFICE.PWN 275 | TargetDomainName: OFFICE.PWN 276 | ServiceName: OFFICE.PWN 277 | ServiceName: WIN11$ 278 | ServiceSid: S-1-5-21-951999864-159825705-4220214313-1105 279 | TicketOptions: 0x40810000 280 | TicketEncryptionType: 0x12 281 | IpAddress: ::ffff:172.16.0.4 282 | IpPort: 61627 283 | Status: 0x0 284 | LogonGuid: {38BE4ECF-E535-6E32-4EB0-EE9669864283} 285 | TransmittedServices: - 286 | ------------------ 287 | ------------------ 288 | [NEW EVENT FOUND] 289 | EventID: 4768 290 | Description: A Kerberos authentication ticket (TGT) was requested. 291 | Time Generated: 2024-06-11 19:47:21 292 | SourceName: Microsoft-Windows-Security-Auditing 293 | ComputerName: dc01.office.pwn 294 | UserSid: None 295 | TargetUserName: dcom 296 | TargetDomainName: dcom 297 | TargetSid: OFFICE 298 | ServiceName: krbtgt 299 | ServiceSid: krbtgt 300 | TicketOptions: S-1-5-21-951999864-159825705-4220214313-502 301 | Status: 0x40810010 302 | TicketEncryptionType: 0x0 303 | PreAuthType: 0x12 304 | IpAddress: 2 305 | IpPort: ::ffff:172.16.0.4 306 | CertIssuerName: 61626 307 | CertSerialNumber: 308 | CertThumbprint: 309 | ------------------ 310 | ------------------ 311 | [NEW EVENT FOUND] 312 | EventID: 4624 313 | Description: An account was successfully logged on. 314 | Time Generated: 2024-06-11 19:47:09 315 | SourceName: Microsoft-Windows-Security-Auditing 316 | ComputerName: dc01.office.pwn 317 | UserSid: None 318 | SubjectUserSid: S-1-0-0 319 | SubjectUserName: - 320 | SubjectDomainName: - 321 | SubjectLogonId: 0x0 322 | TargetUserSid: S-1-5-18 323 | TargetUserName: DC01$ 324 | TargetDomainName: DC01$ 325 | TargetLogonId: 0x336bdd 326 | LogonType: 3 327 | LogonProcessName: Kerberos 328 | AuthenticationPackageName: Kerberos 329 | WorkstationName: 330 | LogonGuid: 331 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 332 | LmPackageName: - 333 | KeyLength: - 334 | ProcessId: 0 335 | ProcessName: 0x0 336 | IpAddress: - 337 | IpPort: ::1 338 | ImpersonationLevel: 49757 339 | RestrictedAdminMode: %%1833 340 | TargetOutboundUserName: - 341 | TargetOutboundDomainName: - 342 | VirtualAccount: - 343 | TargetLinkedLogonId: %%1843 344 | ElevatedToken: 0x0 345 | ------------------ 346 | ------------------ 347 | [NEW EVENT FOUND] 348 | EventID: 4672 349 | Description: Special privileges assigned to new logon. 350 | Time Generated: 2024-06-11 19:47:09 351 | SourceName: Microsoft-Windows-Security-Auditing 352 | ComputerName: dc01.office.pwn 353 | UserSid: None 354 | SubjectUserSid: S-1-5-18 355 | SubjectUserName: DC01$ 356 | SubjectDomainName: DC01$ 357 | SubjectLogonId: 0x336bdd 358 | PrivilegeList: SeSecurityPrivilege 359 | SeBackupPrivilege 360 | SeRestorePrivilege 361 | SeTakeOwnershipPrivilege 362 | SeDebugPrivilege 363 | SeSystemEnvironmentPrivilege 364 | SeLoadDriverPrivilege 365 | SeImpersonatePrivilege 366 | SeDelegateSessionUserImpersonatePrivilege 367 | SeEnableDelegationPrivilege 368 | ------------------ 369 | ------------------ 370 | [NEW EVENT FOUND] 371 | EventID: 4624 372 | Description: An account was successfully logged on. 373 | Time Generated: 2024-06-11 19:46:27 374 | SourceName: Microsoft-Windows-Security-Auditing 375 | ComputerName: dc01.office.pwn 376 | UserSid: None 377 | SubjectUserSid: S-1-0-0 378 | SubjectUserName: - 379 | SubjectDomainName: - 380 | SubjectLogonId: 0x0 381 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-500 382 | TargetUserName: Администратор@OFFICE 383 | TargetDomainName: OFFICE 384 | TargetLogonId: 0x29c085 385 | LogonType: NtLmSsp 386 | LogonProcessName: NTLM 387 | AuthenticationPackageName: 388 | WorkstationName: 389 | LogonGuid: {00000000-0000-0000-0000-000000000000} 390 | TransmittedServices: - 391 | LmPackageName: NTLM V2 392 | KeyLength: 128 393 | ProcessId: 0x0 394 | ProcessName: - 395 | IpAddress: 172.16.0.5 396 | IpPort: 49198 397 | ImpersonationLevel: %%1833 398 | RestrictedAdminMode: - 399 | TargetOutboundUserName: - 400 | TargetOutboundDomainName: - 401 | VirtualAccount: %%1843 402 | TargetLinkedLogonId: 0x0 403 | ElevatedToken: %%1842 404 | ------------------ 405 | ------------------ 406 | [NEW EVENT FOUND] 407 | EventID: 4672 408 | Description: Special privileges assigned to new logon. 409 | Time Generated: 2024-06-11 19:46:27 410 | SourceName: Microsoft-Windows-Security-Auditing 411 | ComputerName: dc01.office.pwn 412 | UserSid: None 413 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-500 414 | SubjectUserName: Администратор@OFFICE 415 | SubjectDomainName: OFFICE 416 | SubjectLogonId: 0x29c085 417 | PrivilegeList: 418 | ------------------ 419 | ------------------ 420 | [NEW EVENT FOUND] 421 | EventID: 4624 422 | Description: An account was successfully logged on. 423 | Time Generated: 2024-06-11 19:46:10 424 | SourceName: Microsoft-Windows-Security-Auditing 425 | ComputerName: dc01.office.pwn 426 | UserSid: None 427 | SubjectUserSid: S-1-0-0 428 | SubjectUserName: - 429 | SubjectDomainName: - 430 | SubjectLogonId: 0x0 431 | TargetUserSid: S-1-5-18 432 | TargetUserName: DC01$ 433 | TargetDomainName: DC01$ 434 | TargetLogonId: 0x264cd6 435 | LogonType: 3 436 | LogonProcessName: Kerberos 437 | AuthenticationPackageName: Kerberos 438 | WorkstationName: 439 | LogonGuid: 440 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 441 | LmPackageName: - 442 | KeyLength: - 443 | ProcessId: 0 444 | ProcessName: 0x0 445 | IpAddress: - 446 | IpPort: ::1 447 | ImpersonationLevel: 49755 448 | RestrictedAdminMode: %%1833 449 | TargetOutboundUserName: - 450 | TargetOutboundDomainName: - 451 | VirtualAccount: - 452 | TargetLinkedLogonId: %%1843 453 | ElevatedToken: 0x0 454 | ------------------ 455 | ------------------ 456 | [NEW EVENT FOUND] 457 | EventID: 4672 458 | Description: Special privileges assigned to new logon. 459 | Time Generated: 2024-06-11 19:46:10 460 | SourceName: Microsoft-Windows-Security-Auditing 461 | ComputerName: dc01.office.pwn 462 | UserSid: None 463 | SubjectUserSid: S-1-5-18 464 | SubjectUserName: DC01$ 465 | SubjectDomainName: DC01$ 466 | SubjectLogonId: 0x264cd6 467 | PrivilegeList: SeSecurityPrivilege 468 | SeBackupPrivilege 469 | SeRestorePrivilege 470 | SeTakeOwnershipPrivilege 471 | SeDebugPrivilege 472 | SeSystemEnvironmentPrivilege 473 | SeLoadDriverPrivilege 474 | SeImpersonatePrivilege 475 | SeDelegateSessionUserImpersonatePrivilege 476 | SeEnableDelegationPrivilege 477 | ------------------ 478 | ------------------ 479 | [NEW EVENT FOUND] 480 | EventID: 4624 481 | Description: An account was successfully logged on. 482 | Time Generated: 2024-06-11 19:45:36 483 | SourceName: Microsoft-Windows-Security-Auditing 484 | ComputerName: dc01.office.pwn 485 | UserSid: None 486 | SubjectUserSid: S-1-0-0 487 | SubjectUserName: - 488 | SubjectDomainName: - 489 | SubjectLogonId: 0x0 490 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-1103 491 | TargetUserName: dcom 492 | TargetDomainName: dcom 493 | TargetLogonId: 0x216727 494 | LogonType: 3 495 | LogonProcessName: NtLmSsp 496 | AuthenticationPackageName: NTLM 497 | WorkstationName: 498 | LogonGuid: 499 | TransmittedServices: {00000000-0000-0000-0000-000000000000} 500 | LmPackageName: - 501 | KeyLength: NTLM V2 502 | ProcessId: 128 503 | ProcessName: 0x0 504 | IpAddress: - 505 | IpPort: 172.16.0.5 506 | ImpersonationLevel: 55854 507 | RestrictedAdminMode: %%1833 508 | TargetOutboundUserName: - 509 | TargetOutboundDomainName: - 510 | VirtualAccount: - 511 | TargetLinkedLogonId: %%1843 512 | ElevatedToken: 0x0 513 | ------------------ 514 | ------------------ 515 | [NEW EVENT FOUND] 516 | EventID: 4672 517 | Description: Special privileges assigned to new logon. 518 | Time Generated: 2024-06-11 19:45:36 519 | SourceName: Microsoft-Windows-Security-Auditing 520 | ComputerName: dc01.office.pwn 521 | UserSid: None 522 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-1103 523 | SubjectUserName: dcom 524 | SubjectDomainName: dcom 525 | SubjectLogonId: 0x216727 526 | PrivilegeList: SeSecurityPrivilege 527 | SeBackupPrivilege 528 | SeRestorePrivilege 529 | SeTakeOwnershipPrivilege 530 | SeDebugPrivilege 531 | SeSystemEnvironmentPrivilege 532 | SeLoadDriverPrivilege 533 | SeImpersonatePrivilege 534 | SeDelegateSessionUserImpersonatePrivilege 535 | SeEnableDelegationPrivilege 536 | ------------------ 537 | ------------------ 538 | [NEW EVENT FOUND] 539 | EventID: 4624 540 | Description: An account was successfully logged on. 541 | Time Generated: 2024-06-11 19:45:19 542 | SourceName: Microsoft-Windows-Security-Auditing 543 | ComputerName: dc01.office.pwn 544 | UserSid: None 545 | SubjectUserSid: S-1-0-0 546 | SubjectUserName: - 547 | SubjectDomainName: - 548 | SubjectLogonId: 0x0 549 | TargetUserSid: S-1-5-18 550 | TargetUserName: DC01$ 551 | TargetDomainName: DC01$ 552 | TargetLogonId: 0x1c5911 553 | LogonType: 3 554 | LogonProcessName: Kerberos 555 | AuthenticationPackageName: Kerberos 556 | WorkstationName: 557 | LogonGuid: 558 | TransmittedServices: {38771484-4120-995A-2EB0-77D963C17FD5} 559 | LmPackageName: - 560 | KeyLength: - 561 | ProcessId: 0 562 | ProcessName: 0x0 563 | IpAddress: - 564 | IpPort: fe80::e9a0:667c:84a3:6f47 565 | ImpersonationLevel: 49753 566 | RestrictedAdminMode: %%1840 567 | TargetOutboundUserName: - 568 | TargetOutboundDomainName: - 569 | VirtualAccount: - 570 | TargetLinkedLogonId: %%1843 571 | ElevatedToken: 0x0 572 | ------------------ 573 | ------------------ 574 | [NEW EVENT FOUND] 575 | EventID: 4672 576 | Description: Special privileges assigned to new logon. 577 | Time Generated: 2024-06-11 19:45:19 578 | SourceName: Microsoft-Windows-Security-Auditing 579 | ComputerName: dc01.office.pwn 580 | UserSid: None 581 | SubjectUserSid: S-1-5-18 582 | SubjectUserName: DC01$ 583 | SubjectDomainName: DC01$ 584 | SubjectLogonId: 0x1c5911 585 | PrivilegeList: SeSecurityPrivilege 586 | SeBackupPrivilege 587 | SeRestorePrivilege 588 | SeTakeOwnershipPrivilege 589 | SeDebugPrivilege 590 | SeSystemEnvironmentPrivilege 591 | SeLoadDriverPrivilege 592 | SeImpersonatePrivilege 593 | SeDelegateSessionUserImpersonatePrivilege 594 | SeEnableDelegationPrivilege 595 | ------------------ 596 | ------------------ 597 | [NEW EVENT FOUND] 598 | EventID: 4624 599 | Description: An account was successfully logged on. 600 | Time Generated: 2024-06-11 19:45:19 601 | SourceName: Microsoft-Windows-Security-Auditing 602 | ComputerName: dc01.office.pwn 603 | UserSid: None 604 | SubjectUserSid: S-1-0-0 605 | SubjectUserName: - 606 | SubjectDomainName: - 607 | SubjectLogonId: 0x0 608 | TargetUserSid: S-1-5-18 609 | TargetUserName: DC01$ 610 | TargetDomainName: DC01$ 611 | TargetLogonId: 0x1c4d2d 612 | LogonType: 3 613 | LogonProcessName: Kerberos 614 | AuthenticationPackageName: Kerberos 615 | WorkstationName: 616 | LogonGuid: 617 | TransmittedServices: {38771484-4120-995A-2EB0-77D963C17FD5} 618 | LmPackageName: - 619 | KeyLength: - 620 | ProcessId: 0 621 | ProcessName: 0x0 622 | IpAddress: - 623 | IpPort: 172.16.0.3 624 | ImpersonationLevel: 49752 625 | RestrictedAdminMode: %%1833 626 | TargetOutboundUserName: - 627 | TargetOutboundDomainName: - 628 | VirtualAccount: - 629 | TargetLinkedLogonId: %%1843 630 | ElevatedToken: 0x0 631 | ------------------ 632 | ------------------ 633 | [NEW EVENT FOUND] 634 | EventID: 4672 635 | Description: Special privileges assigned to new logon. 636 | Time Generated: 2024-06-11 19:45:19 637 | SourceName: Microsoft-Windows-Security-Auditing 638 | ComputerName: dc01.office.pwn 639 | UserSid: None 640 | SubjectUserSid: S-1-5-18 641 | SubjectUserName: DC01$ 642 | SubjectDomainName: DC01$ 643 | SubjectLogonId: 0x1c4d2d 644 | PrivilegeList: SeSecurityPrivilege 645 | SeBackupPrivilege 646 | SeRestorePrivilege 647 | SeTakeOwnershipPrivilege 648 | SeDebugPrivilege 649 | SeSystemEnvironmentPrivilege 650 | SeLoadDriverPrivilege 651 | SeImpersonatePrivilege 652 | SeDelegateSessionUserImpersonatePrivilege 653 | SeEnableDelegationPrivilege 654 | ------------------ 655 | ------------------ 656 | [NEW EVENT FOUND] 657 | EventID: 4624 658 | Description: An account was successfully logged on. 659 | Time Generated: 2024-06-11 19:45:19 660 | SourceName: Microsoft-Windows-Security-Auditing 661 | ComputerName: dc01.office.pwn 662 | UserSid: None 663 | SubjectUserSid: S-1-0-0 664 | SubjectUserName: - 665 | SubjectDomainName: - 666 | SubjectLogonId: 0x0 667 | TargetUserSid: S-1-5-18 668 | TargetUserName: DC01$ 669 | TargetDomainName: DC01$ 670 | TargetLogonId: 0x1c4c6a 671 | LogonType: 3 672 | LogonProcessName: Kerberos 673 | AuthenticationPackageName: Kerberos 674 | WorkstationName: 675 | LogonGuid: 676 | TransmittedServices: {4D1692A3-E22B-D612-1043-DC1C0FCE5D9C} 677 | LmPackageName: - 678 | KeyLength: - 679 | ProcessId: 0 680 | ProcessName: 0x0 681 | IpAddress: - 682 | IpPort: ::1 683 | ImpersonationLevel: 0 684 | RestrictedAdminMode: %%1833 685 | TargetOutboundUserName: - 686 | TargetOutboundDomainName: - 687 | VirtualAccount: - 688 | TargetLinkedLogonId: %%1843 689 | ElevatedToken: 0x0 690 | ------------------ 691 | ------------------ 692 | [NEW EVENT FOUND] 693 | EventID: 4672 694 | Description: Special privileges assigned to new logon. 695 | Time Generated: 2024-06-11 19:45:19 696 | SourceName: Microsoft-Windows-Security-Auditing 697 | ComputerName: dc01.office.pwn 698 | UserSid: None 699 | SubjectUserSid: S-1-5-18 700 | SubjectUserName: DC01$ 701 | SubjectDomainName: DC01$ 702 | SubjectLogonId: 0x1c4c6a 703 | PrivilegeList: SeSecurityPrivilege 704 | SeBackupPrivilege 705 | SeRestorePrivilege 706 | SeTakeOwnershipPrivilege 707 | SeDebugPrivilege 708 | SeSystemEnvironmentPrivilege 709 | SeLoadDriverPrivilege 710 | SeImpersonatePrivilege 711 | SeDelegateSessionUserImpersonatePrivilege 712 | SeEnableDelegationPrivilege 713 | ------------------ 714 | ------------------ 715 | [NEW EVENT FOUND] 716 | EventID: 4624 717 | Description: An account was successfully logged on. 718 | Time Generated: 2024-06-11 19:45:19 719 | SourceName: Microsoft-Windows-Security-Auditing 720 | ComputerName: dc01.office.pwn 721 | UserSid: None 722 | SubjectUserSid: S-1-0-0 723 | SubjectUserName: - 724 | SubjectDomainName: - 725 | SubjectLogonId: 0x0 726 | TargetUserSid: S-1-5-18 727 | TargetUserName: DC01$ 728 | TargetDomainName: DC01$ 729 | TargetLogonId: 0x1c4ade 730 | LogonType: 3 731 | LogonProcessName: Kerberos 732 | AuthenticationPackageName: Kerberos 733 | WorkstationName: 734 | LogonGuid: 735 | TransmittedServices: {38771484-4120-995A-2EB0-77D963C17FD5} 736 | LmPackageName: - 737 | KeyLength: - 738 | ProcessId: 0 739 | ProcessName: 0x0 740 | IpAddress: - 741 | IpPort: fe80::e9a0:667c:84a3:6f47 742 | ImpersonationLevel: 49751 743 | RestrictedAdminMode: %%1833 744 | TargetOutboundUserName: - 745 | TargetOutboundDomainName: - 746 | VirtualAccount: - 747 | TargetLinkedLogonId: %%1843 748 | ElevatedToken: 0x0 749 | ------------------ 750 | ------------------ 751 | [NEW EVENT FOUND] 752 | EventID: 4672 753 | Description: Special privileges assigned to new logon. 754 | Time Generated: 2024-06-11 19:45:19 755 | SourceName: Microsoft-Windows-Security-Auditing 756 | ComputerName: dc01.office.pwn 757 | UserSid: None 758 | SubjectUserSid: S-1-5-18 759 | SubjectUserName: DC01$ 760 | SubjectDomainName: DC01$ 761 | SubjectLogonId: 0x1c4ade 762 | PrivilegeList: SeSecurityPrivilege 763 | SeBackupPrivilege 764 | SeRestorePrivilege 765 | SeTakeOwnershipPrivilege 766 | SeDebugPrivilege 767 | SeSystemEnvironmentPrivilege 768 | SeLoadDriverPrivilege 769 | SeImpersonatePrivilege 770 | SeDelegateSessionUserImpersonatePrivilege 771 | SeEnableDelegationPrivilege 772 | ------------------ 773 | ------------------ 774 | [NEW EVENT FOUND] 775 | EventID: 4624 776 | Description: An account was successfully logged on. 777 | Time Generated: 2024-06-11 19:45:12 778 | SourceName: Microsoft-Windows-Security-Auditing 779 | ComputerName: dc01.office.pwn 780 | UserSid: None 781 | SubjectUserSid: S-1-0-0 782 | SubjectUserName: - 783 | SubjectDomainName: - 784 | SubjectLogonId: 0x0 785 | TargetUserSid: S-1-5-18 786 | TargetUserName: DC01$ 787 | TargetDomainName: DC01$ 788 | TargetLogonId: 0x194218 789 | LogonType: 3 790 | LogonProcessName: Kerberos 791 | AuthenticationPackageName: Kerberos 792 | WorkstationName: 793 | LogonGuid: 794 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 795 | LmPackageName: - 796 | KeyLength: - 797 | ProcessId: 0 798 | ProcessName: 0x0 799 | IpAddress: - 800 | IpPort: fe80::e9a0:667c:84a3:6f47 801 | ImpersonationLevel: 49750 802 | RestrictedAdminMode: %%1833 803 | TargetOutboundUserName: - 804 | TargetOutboundDomainName: - 805 | VirtualAccount: - 806 | TargetLinkedLogonId: %%1843 807 | ElevatedToken: 0x0 808 | ------------------ 809 | ------------------ 810 | [NEW EVENT FOUND] 811 | EventID: 4672 812 | Description: Special privileges assigned to new logon. 813 | Time Generated: 2024-06-11 19:45:12 814 | SourceName: Microsoft-Windows-Security-Auditing 815 | ComputerName: dc01.office.pwn 816 | UserSid: None 817 | SubjectUserSid: S-1-5-18 818 | SubjectUserName: DC01$ 819 | SubjectDomainName: DC01$ 820 | SubjectLogonId: 0x194218 821 | PrivilegeList: SeSecurityPrivilege 822 | SeBackupPrivilege 823 | SeRestorePrivilege 824 | SeTakeOwnershipPrivilege 825 | SeDebugPrivilege 826 | SeSystemEnvironmentPrivilege 827 | SeLoadDriverPrivilege 828 | SeImpersonatePrivilege 829 | SeDelegateSessionUserImpersonatePrivilege 830 | SeEnableDelegationPrivilege 831 | ------------------ 832 | ------------------ 833 | [NEW EVENT FOUND] 834 | EventID: 4624 835 | Description: An account was successfully logged on. 836 | Time Generated: 2024-06-11 19:45:12 837 | SourceName: Microsoft-Windows-Security-Auditing 838 | ComputerName: dc01.office.pwn 839 | UserSid: None 840 | SubjectUserSid: S-1-0-0 841 | SubjectUserName: - 842 | SubjectDomainName: - 843 | SubjectLogonId: 0x0 844 | TargetUserSid: S-1-5-18 845 | TargetUserName: DC01$ 846 | TargetDomainName: DC01$ 847 | TargetLogonId: 0x194036 848 | LogonType: 3 849 | LogonProcessName: Kerberos 850 | AuthenticationPackageName: Kerberos 851 | WorkstationName: 852 | LogonGuid: 853 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 854 | LmPackageName: - 855 | KeyLength: - 856 | ProcessId: 0 857 | ProcessName: 0x0 858 | IpAddress: - 859 | IpPort: fe80::e9a0:667c:84a3:6f47 860 | ImpersonationLevel: 49749 861 | RestrictedAdminMode: %%1833 862 | TargetOutboundUserName: - 863 | TargetOutboundDomainName: - 864 | VirtualAccount: - 865 | TargetLinkedLogonId: %%1843 866 | ElevatedToken: 0x0 867 | ------------------ 868 | ------------------ 869 | [NEW EVENT FOUND] 870 | EventID: 4672 871 | Description: Special privileges assigned to new logon. 872 | Time Generated: 2024-06-11 19:45:12 873 | SourceName: Microsoft-Windows-Security-Auditing 874 | ComputerName: dc01.office.pwn 875 | UserSid: None 876 | SubjectUserSid: S-1-5-18 877 | SubjectUserName: DC01$ 878 | SubjectDomainName: DC01$ 879 | SubjectLogonId: 0x194036 880 | PrivilegeList: SeSecurityPrivilege 881 | SeBackupPrivilege 882 | SeRestorePrivilege 883 | SeTakeOwnershipPrivilege 884 | SeDebugPrivilege 885 | SeSystemEnvironmentPrivilege 886 | SeLoadDriverPrivilege 887 | SeImpersonatePrivilege 888 | SeDelegateSessionUserImpersonatePrivilege 889 | SeEnableDelegationPrivilege 890 | ------------------ 891 | ------------------ 892 | [NEW EVENT FOUND] 893 | EventID: 4624 894 | Description: An account was successfully logged on. 895 | Time Generated: 2024-06-11 19:45:11 896 | SourceName: Microsoft-Windows-Security-Auditing 897 | ComputerName: dc01.office.pwn 898 | UserSid: None 899 | SubjectUserSid: S-1-0-0 900 | SubjectUserName: - 901 | SubjectDomainName: - 902 | SubjectLogonId: 0x0 903 | TargetUserSid: S-1-5-18 904 | TargetUserName: DC01$ 905 | TargetDomainName: DC01$ 906 | TargetLogonId: 0x18fbb4 907 | LogonType: 3 908 | LogonProcessName: Kerberos 909 | AuthenticationPackageName: Kerberos 910 | WorkstationName: 911 | LogonGuid: 912 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 913 | LmPackageName: - 914 | KeyLength: - 915 | ProcessId: 0 916 | ProcessName: 0x0 917 | IpAddress: - 918 | IpPort: ::1 919 | ImpersonationLevel: 49747 920 | RestrictedAdminMode: %%1833 921 | TargetOutboundUserName: - 922 | TargetOutboundDomainName: - 923 | VirtualAccount: - 924 | TargetLinkedLogonId: %%1843 925 | ElevatedToken: 0x0 926 | ------------------ 927 | ------------------ 928 | [NEW EVENT FOUND] 929 | EventID: 4672 930 | Description: Special privileges assigned to new logon. 931 | Time Generated: 2024-06-11 19:45:11 932 | SourceName: Microsoft-Windows-Security-Auditing 933 | ComputerName: dc01.office.pwn 934 | UserSid: None 935 | SubjectUserSid: S-1-5-18 936 | SubjectUserName: DC01$ 937 | SubjectDomainName: DC01$ 938 | SubjectLogonId: 0x18fbb4 939 | PrivilegeList: SeSecurityPrivilege 940 | SeBackupPrivilege 941 | SeRestorePrivilege 942 | SeTakeOwnershipPrivilege 943 | SeDebugPrivilege 944 | SeSystemEnvironmentPrivilege 945 | SeLoadDriverPrivilege 946 | SeImpersonatePrivilege 947 | SeDelegateSessionUserImpersonatePrivilege 948 | SeEnableDelegationPrivilege 949 | ------------------ 950 | ------------------ 951 | [NEW EVENT FOUND] 952 | EventID: 4672 953 | Description: Special privileges assigned to new logon. 954 | Time Generated: 2024-06-11 19:44:38 955 | SourceName: Microsoft-Windows-Security-Auditing 956 | ComputerName: dc01.office.pwn 957 | UserSid: None 958 | SubjectUserSid: S-1-5-18 959 | SubjectUserName: СИСТЕМА@NT AUTHORITY 960 | SubjectDomainName: NT AUTHORITY 961 | SubjectLogonId: 0x3e7 962 | PrivilegeList: 963 | ------------------ 964 | ------------------ 965 | [NEW EVENT FOUND] 966 | EventID: 4624 967 | Description: An account was successfully logged on. 968 | Time Generated: 2024-06-11 19:44:38 969 | SourceName: Microsoft-Windows-Security-Auditing 970 | ComputerName: dc01.office.pwn 971 | UserSid: None 972 | SubjectUserSid: S-1-5-18 973 | SubjectUserName: DC01$ 974 | SubjectDomainName: DC01$ 975 | SubjectLogonId: 0x3e7 976 | TargetUserSid: S-1-5-18 977 | TargetUserName: СИСТЕМА@NT AUTHORITY 978 | TargetDomainName: NT AUTHORITY 979 | TargetLogonId: 0x3e7 980 | LogonType: Advapi 981 | LogonProcessName: Negotiate 982 | AuthenticationPackageName: 983 | WorkstationName: 984 | LogonGuid: {00000000-0000-0000-0000-000000000000} 985 | TransmittedServices: - 986 | LmPackageName: - 987 | KeyLength: 0 988 | ProcessId: 0x2e4 989 | ProcessName: C:\Windows\System32\services.exe 990 | IpAddress: - 991 | IpPort: - 992 | ImpersonationLevel: %%1833 993 | RestrictedAdminMode: - 994 | TargetOutboundUserName: - 995 | TargetOutboundDomainName: - 996 | VirtualAccount: %%1843 997 | TargetLinkedLogonId: 0x0 998 | ElevatedToken: %%1842 999 | ------------------ 1000 | ------------------ 1001 | [NEW EVENT FOUND] 1002 | EventID: 4624 1003 | Description: An account was successfully logged on. 1004 | Time Generated: 2024-06-11 19:44:37 1005 | SourceName: Microsoft-Windows-Security-Auditing 1006 | ComputerName: dc01.office.pwn 1007 | UserSid: None 1008 | SubjectUserSid: S-1-0-0 1009 | SubjectUserName: - 1010 | SubjectDomainName: - 1011 | SubjectLogonId: 0x0 1012 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-1103 1013 | TargetUserName: dcom 1014 | TargetDomainName: dcom 1015 | TargetLogonId: 0x94700 1016 | LogonType: 3 1017 | LogonProcessName: NtLmSsp 1018 | AuthenticationPackageName: NTLM 1019 | WorkstationName: 1020 | LogonGuid: 1021 | TransmittedServices: {00000000-0000-0000-0000-000000000000} 1022 | LmPackageName: - 1023 | KeyLength: NTLM V2 1024 | ProcessId: 128 1025 | ProcessName: 0x0 1026 | IpAddress: - 1027 | IpPort: 172.16.0.5 1028 | ImpersonationLevel: 39094 1029 | RestrictedAdminMode: %%1833 1030 | TargetOutboundUserName: - 1031 | TargetOutboundDomainName: - 1032 | VirtualAccount: - 1033 | TargetLinkedLogonId: %%1843 1034 | ElevatedToken: 0x0 1035 | ------------------ 1036 | ------------------ 1037 | [NEW EVENT FOUND] 1038 | EventID: 4672 1039 | Description: Special privileges assigned to new logon. 1040 | Time Generated: 2024-06-11 19:44:37 1041 | SourceName: Microsoft-Windows-Security-Auditing 1042 | ComputerName: dc01.office.pwn 1043 | UserSid: None 1044 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-1103 1045 | SubjectUserName: dcom 1046 | SubjectDomainName: dcom 1047 | SubjectLogonId: 0x94700 1048 | PrivilegeList: SeSecurityPrivilege 1049 | SeBackupPrivilege 1050 | SeRestorePrivilege 1051 | SeTakeOwnershipPrivilege 1052 | SeDebugPrivilege 1053 | SeSystemEnvironmentPrivilege 1054 | SeLoadDriverPrivilege 1055 | SeImpersonatePrivilege 1056 | SeDelegateSessionUserImpersonatePrivilege 1057 | SeEnableDelegationPrivilege 1058 | ------------------ 1059 | ------------------ 1060 | [NEW EVENT FOUND] 1061 | EventID: 4624 1062 | Description: An account was successfully logged on. 1063 | Time Generated: 2024-06-11 19:44:32 1064 | SourceName: Microsoft-Windows-Security-Auditing 1065 | ComputerName: dc01.office.pwn 1066 | UserSid: None 1067 | SubjectUserSid: S-1-0-0 1068 | SubjectUserName: - 1069 | SubjectDomainName: - 1070 | SubjectLogonId: 0x0 1071 | TargetUserSid: S-1-5-18 1072 | TargetUserName: DC01$ 1073 | TargetDomainName: DC01$ 1074 | TargetLogonId: 0x8d080 1075 | LogonType: 3 1076 | LogonProcessName: Kerberos 1077 | AuthenticationPackageName: Kerberos 1078 | WorkstationName: 1079 | LogonGuid: 1080 | TransmittedServices: {1ABA9359-1D80-A800-423D-6800BB92E16F} 1081 | LmPackageName: - 1082 | KeyLength: - 1083 | ProcessId: 0 1084 | ProcessName: 0x0 1085 | IpAddress: - 1086 | IpPort: fe80::e9a0:667c:84a3:6f47 1087 | ImpersonationLevel: 49741 1088 | RestrictedAdminMode: %%1840 1089 | TargetOutboundUserName: - 1090 | TargetOutboundDomainName: - 1091 | VirtualAccount: - 1092 | TargetLinkedLogonId: %%1843 1093 | ElevatedToken: 0x0 1094 | ------------------ 1095 | ------------------ 1096 | [NEW EVENT FOUND] 1097 | EventID: 4672 1098 | Description: Special privileges assigned to new logon. 1099 | Time Generated: 2024-06-11 19:44:32 1100 | SourceName: Microsoft-Windows-Security-Auditing 1101 | ComputerName: dc01.office.pwn 1102 | UserSid: None 1103 | SubjectUserSid: S-1-5-18 1104 | SubjectUserName: DC01$ 1105 | SubjectDomainName: DC01$ 1106 | SubjectLogonId: 0x8d080 1107 | PrivilegeList: SeSecurityPrivilege 1108 | SeBackupPrivilege 1109 | SeRestorePrivilege 1110 | SeTakeOwnershipPrivilege 1111 | SeDebugPrivilege 1112 | SeSystemEnvironmentPrivilege 1113 | SeLoadDriverPrivilege 1114 | SeImpersonatePrivilege 1115 | SeDelegateSessionUserImpersonatePrivilege 1116 | SeEnableDelegationPrivilege 1117 | ------------------ 1118 | ------------------ 1119 | [NEW EVENT FOUND] 1120 | EventID: 4769 1121 | Description: A Kerberos service ticket (TGS) was requested. 1122 | Time Generated: 2024-06-11 19:44:32 1123 | SourceName: Microsoft-Windows-Security-Auditing 1124 | ComputerName: dc01.office.pwn 1125 | UserSid: None 1126 | TargetUserName: DC01$@OFFICE.PWN 1127 | TargetDomainName: OFFICE.PWN 1128 | ServiceName: OFFICE.PWN 1129 | ServiceName: DC01$ 1130 | ServiceSid: S-1-5-21-951999864-159825705-4220214313-1000 1131 | TicketOptions: 0x40810000 1132 | TicketEncryptionType: 0x12 1133 | IpAddress: ::1 1134 | IpPort: 0 1135 | Status: 0x0 1136 | LogonGuid: {E3650357-0AE9-2BB8-B9E4-58A225C22CB6} 1137 | TransmittedServices: - 1138 | ------------------ 1139 | ------------------ 1140 | [NEW EVENT FOUND] 1141 | EventID: 4624 1142 | Description: An account was successfully logged on. 1143 | Time Generated: 2024-06-11 19:44:12 1144 | SourceName: Microsoft-Windows-Security-Auditing 1145 | ComputerName: dc01.office.pwn 1146 | UserSid: None 1147 | SubjectUserSid: S-1-0-0 1148 | SubjectUserName: - 1149 | SubjectDomainName: - 1150 | SubjectLogonId: 0x0 1151 | TargetUserSid: S-1-5-18 1152 | TargetUserName: DC01$ 1153 | TargetDomainName: DC01$ 1154 | TargetLogonId: 0x8cc24 1155 | LogonType: 3 1156 | LogonProcessName: Kerberos 1157 | AuthenticationPackageName: Kerberos 1158 | WorkstationName: 1159 | LogonGuid: 1160 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 1161 | LmPackageName: - 1162 | KeyLength: - 1163 | ProcessId: 0 1164 | ProcessName: 0x0 1165 | IpAddress: - 1166 | IpPort: ::1 1167 | ImpersonationLevel: 49740 1168 | RestrictedAdminMode: %%1833 1169 | TargetOutboundUserName: - 1170 | TargetOutboundDomainName: - 1171 | VirtualAccount: - 1172 | TargetLinkedLogonId: %%1843 1173 | ElevatedToken: 0x0 1174 | ------------------ 1175 | ------------------ 1176 | [NEW EVENT FOUND] 1177 | EventID: 4672 1178 | Description: Special privileges assigned to new logon. 1179 | Time Generated: 2024-06-11 19:44:12 1180 | SourceName: Microsoft-Windows-Security-Auditing 1181 | ComputerName: dc01.office.pwn 1182 | UserSid: None 1183 | SubjectUserSid: S-1-5-18 1184 | SubjectUserName: DC01$ 1185 | SubjectDomainName: DC01$ 1186 | SubjectLogonId: 0x8cc24 1187 | PrivilegeList: SeSecurityPrivilege 1188 | SeBackupPrivilege 1189 | SeRestorePrivilege 1190 | SeTakeOwnershipPrivilege 1191 | SeDebugPrivilege 1192 | SeSystemEnvironmentPrivilege 1193 | SeLoadDriverPrivilege 1194 | SeImpersonatePrivilege 1195 | SeDelegateSessionUserImpersonatePrivilege 1196 | SeEnableDelegationPrivilege 1197 | ------------------ 1198 | ------------------ 1199 | [NEW EVENT FOUND] 1200 | EventID: 4624 1201 | Description: An account was successfully logged on. 1202 | Time Generated: 2024-06-11 19:43:27 1203 | SourceName: Microsoft-Windows-Security-Auditing 1204 | ComputerName: dc01.office.pwn 1205 | UserSid: None 1206 | SubjectUserSid: S-1-0-0 1207 | SubjectUserName: - 1208 | SubjectDomainName: - 1209 | SubjectLogonId: 0x0 1210 | TargetUserSid: S-1-5-18 1211 | TargetUserName: DC01$ 1212 | TargetDomainName: DC01$ 1213 | TargetLogonId: 0x7dfff 1214 | LogonType: 3 1215 | LogonProcessName: Kerberos 1216 | AuthenticationPackageName: Kerberos 1217 | WorkstationName: 1218 | LogonGuid: 1219 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 1220 | LmPackageName: - 1221 | KeyLength: - 1222 | ProcessId: 0 1223 | ProcessName: 0x0 1224 | IpAddress: - 1225 | IpPort: fe80::e9a0:667c:84a3:6f47 1226 | ImpersonationLevel: 49738 1227 | RestrictedAdminMode: %%1833 1228 | TargetOutboundUserName: - 1229 | TargetOutboundDomainName: - 1230 | VirtualAccount: - 1231 | TargetLinkedLogonId: %%1843 1232 | ElevatedToken: 0x0 1233 | ------------------ 1234 | ------------------ 1235 | [NEW EVENT FOUND] 1236 | EventID: 4672 1237 | Description: Special privileges assigned to new logon. 1238 | Time Generated: 2024-06-11 19:43:27 1239 | SourceName: Microsoft-Windows-Security-Auditing 1240 | ComputerName: dc01.office.pwn 1241 | UserSid: None 1242 | SubjectUserSid: S-1-5-18 1243 | SubjectUserName: DC01$ 1244 | SubjectDomainName: DC01$ 1245 | SubjectLogonId: 0x7dfff 1246 | PrivilegeList: SeSecurityPrivilege 1247 | SeBackupPrivilege 1248 | SeRestorePrivilege 1249 | SeTakeOwnershipPrivilege 1250 | SeDebugPrivilege 1251 | SeSystemEnvironmentPrivilege 1252 | SeLoadDriverPrivilege 1253 | SeImpersonatePrivilege 1254 | SeDelegateSessionUserImpersonatePrivilege 1255 | SeEnableDelegationPrivilege 1256 | ------------------ 1257 | ------------------ 1258 | [NEW EVENT FOUND] 1259 | EventID: 4624 1260 | Description: An account was successfully logged on. 1261 | Time Generated: 2024-06-11 19:43:14 1262 | SourceName: Microsoft-Windows-Security-Auditing 1263 | ComputerName: dc01.office.pwn 1264 | UserSid: None 1265 | SubjectUserSid: S-1-0-0 1266 | SubjectUserName: - 1267 | SubjectDomainName: - 1268 | SubjectLogonId: 0x0 1269 | TargetUserSid: S-1-5-18 1270 | TargetUserName: DC01$ 1271 | TargetDomainName: DC01$ 1272 | TargetLogonId: 0x6eb95 1273 | LogonType: 3 1274 | LogonProcessName: Kerberos 1275 | AuthenticationPackageName: Kerberos 1276 | WorkstationName: 1277 | LogonGuid: 1278 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 1279 | LmPackageName: - 1280 | KeyLength: - 1281 | ProcessId: 0 1282 | ProcessName: 0x0 1283 | IpAddress: - 1284 | IpPort: ::1 1285 | ImpersonationLevel: 49736 1286 | RestrictedAdminMode: %%1833 1287 | TargetOutboundUserName: - 1288 | TargetOutboundDomainName: - 1289 | VirtualAccount: - 1290 | TargetLinkedLogonId: %%1843 1291 | ElevatedToken: 0x0 1292 | ------------------ 1293 | ------------------ 1294 | [NEW EVENT FOUND] 1295 | EventID: 4672 1296 | Description: Special privileges assigned to new logon. 1297 | Time Generated: 2024-06-11 19:43:14 1298 | SourceName: Microsoft-Windows-Security-Auditing 1299 | ComputerName: dc01.office.pwn 1300 | UserSid: None 1301 | SubjectUserSid: S-1-5-18 1302 | SubjectUserName: DC01$ 1303 | SubjectDomainName: DC01$ 1304 | SubjectLogonId: 0x6eb95 1305 | PrivilegeList: SeSecurityPrivilege 1306 | SeBackupPrivilege 1307 | SeRestorePrivilege 1308 | SeTakeOwnershipPrivilege 1309 | SeDebugPrivilege 1310 | SeSystemEnvironmentPrivilege 1311 | SeLoadDriverPrivilege 1312 | SeImpersonatePrivilege 1313 | SeDelegateSessionUserImpersonatePrivilege 1314 | SeEnableDelegationPrivilege 1315 | ------------------ 1316 | ------------------ 1317 | [NEW EVENT FOUND] 1318 | EventID: 4624 1319 | Description: An account was successfully logged on. 1320 | Time Generated: 2024-06-11 19:42:40 1321 | SourceName: Microsoft-Windows-Security-Auditing 1322 | ComputerName: dc01.office.pwn 1323 | UserSid: None 1324 | SubjectUserSid: S-1-0-0 1325 | SubjectUserName: - 1326 | SubjectDomainName: - 1327 | SubjectLogonId: 0x0 1328 | TargetUserSid: S-1-5-18 1329 | TargetUserName: DC01$ 1330 | TargetDomainName: DC01$ 1331 | TargetLogonId: 0x60e55 1332 | LogonType: 3 1333 | LogonProcessName: Kerberos 1334 | AuthenticationPackageName: Kerberos 1335 | WorkstationName: 1336 | LogonGuid: 1337 | TransmittedServices: {8CEAC54E-46FF-E1AF-A782-84D9A85BC980} 1338 | LmPackageName: - 1339 | KeyLength: - 1340 | ProcessId: 0 1341 | ProcessName: 0x0 1342 | IpAddress: - 1343 | IpPort: - 1344 | ImpersonationLevel: - 1345 | RestrictedAdminMode: %%1840 1346 | TargetOutboundUserName: - 1347 | TargetOutboundDomainName: - 1348 | VirtualAccount: - 1349 | TargetLinkedLogonId: %%1843 1350 | ElevatedToken: 0x0 1351 | ------------------ 1352 | ------------------ 1353 | [NEW EVENT FOUND] 1354 | EventID: 4672 1355 | Description: Special privileges assigned to new logon. 1356 | Time Generated: 2024-06-11 19:42:40 1357 | SourceName: Microsoft-Windows-Security-Auditing 1358 | ComputerName: dc01.office.pwn 1359 | UserSid: None 1360 | SubjectUserSid: S-1-5-18 1361 | SubjectUserName: DC01$ 1362 | SubjectDomainName: DC01$ 1363 | SubjectLogonId: 0x60e55 1364 | PrivilegeList: SeSecurityPrivilege 1365 | SeBackupPrivilege 1366 | SeRestorePrivilege 1367 | SeTakeOwnershipPrivilege 1368 | SeDebugPrivilege 1369 | SeSystemEnvironmentPrivilege 1370 | SeLoadDriverPrivilege 1371 | SeImpersonatePrivilege 1372 | SeDelegateSessionUserImpersonatePrivilege 1373 | SeEnableDelegationPrivilege 1374 | ------------------ 1375 | ------------------ 1376 | [NEW EVENT FOUND] 1377 | EventID: 4624 1378 | Description: An account was successfully logged on. 1379 | Time Generated: 2024-06-11 19:42:40 1380 | SourceName: Microsoft-Windows-Security-Auditing 1381 | ComputerName: dc01.office.pwn 1382 | UserSid: None 1383 | SubjectUserSid: S-1-0-0 1384 | SubjectUserName: - 1385 | SubjectDomainName: - 1386 | SubjectLogonId: 0x0 1387 | TargetUserSid: S-1-5-18 1388 | TargetUserName: DC01$ 1389 | TargetDomainName: DC01$ 1390 | TargetLogonId: 0x60aef 1391 | LogonType: 3 1392 | LogonProcessName: Kerberos 1393 | AuthenticationPackageName: Kerberos 1394 | WorkstationName: 1395 | LogonGuid: 1396 | TransmittedServices: {8CEAC54E-46FF-E1AF-A782-84D9A85BC980} 1397 | LmPackageName: - 1398 | KeyLength: - 1399 | ProcessId: 0 1400 | ProcessName: 0x0 1401 | IpAddress: - 1402 | IpPort: - 1403 | ImpersonationLevel: - 1404 | RestrictedAdminMode: %%1840 1405 | TargetOutboundUserName: - 1406 | TargetOutboundDomainName: - 1407 | VirtualAccount: - 1408 | TargetLinkedLogonId: %%1843 1409 | ElevatedToken: 0x0 1410 | ------------------ 1411 | ------------------ 1412 | [NEW EVENT FOUND] 1413 | EventID: 4672 1414 | Description: Special privileges assigned to new logon. 1415 | Time Generated: 2024-06-11 19:42:40 1416 | SourceName: Microsoft-Windows-Security-Auditing 1417 | ComputerName: dc01.office.pwn 1418 | UserSid: None 1419 | SubjectUserSid: S-1-5-18 1420 | SubjectUserName: DC01$ 1421 | SubjectDomainName: DC01$ 1422 | SubjectLogonId: 0x60aef 1423 | PrivilegeList: SeSecurityPrivilege 1424 | SeBackupPrivilege 1425 | SeRestorePrivilege 1426 | SeTakeOwnershipPrivilege 1427 | SeDebugPrivilege 1428 | SeSystemEnvironmentPrivilege 1429 | SeLoadDriverPrivilege 1430 | SeImpersonatePrivilege 1431 | SeDelegateSessionUserImpersonatePrivilege 1432 | SeEnableDelegationPrivilege 1433 | ------------------ 1434 | ------------------ 1435 | [NEW EVENT FOUND] 1436 | EventID: 4624 1437 | Description: An account was successfully logged on. 1438 | Time Generated: 2024-06-11 19:48:38 1439 | SourceName: Microsoft-Windows-Security-Auditing 1440 | ComputerName: dc01.office.pwn 1441 | UserSid: None 1442 | SubjectUserSid: S-1-0-0 1443 | SubjectUserName: - 1444 | SubjectDomainName: - 1445 | SubjectLogonId: 0x0 1446 | TargetUserSid: S-1-5-18 1447 | TargetUserName: DC01$ 1448 | TargetDomainName: DC01$ 1449 | TargetLogonId: 0x40f4aa 1450 | LogonType: 3 1451 | LogonProcessName: Kerberos 1452 | AuthenticationPackageName: Kerberos 1453 | WorkstationName: 1454 | LogonGuid: 1455 | TransmittedServices: {38771484-4120-995A-2EB0-77D963C17FD5} 1456 | LmPackageName: - 1457 | KeyLength: - 1458 | ProcessId: 0 1459 | ProcessName: 0x0 1460 | IpAddress: - 1461 | IpPort: fe80::e9a0:667c:84a3:6f47 1462 | ImpersonationLevel: 49761 1463 | RestrictedAdminMode: %%1833 1464 | TargetOutboundUserName: - 1465 | TargetOutboundDomainName: - 1466 | VirtualAccount: - 1467 | TargetLinkedLogonId: %%1843 1468 | ElevatedToken: 0x0 1469 | ------------------ 1470 | ------------------ 1471 | [NEW EVENT FOUND] 1472 | EventID: 4672 1473 | Description: Special privileges assigned to new logon. 1474 | Time Generated: 2024-06-11 19:48:38 1475 | SourceName: Microsoft-Windows-Security-Auditing 1476 | ComputerName: dc01.office.pwn 1477 | UserSid: None 1478 | SubjectUserSid: S-1-5-18 1479 | SubjectUserName: DC01$ 1480 | SubjectDomainName: DC01$ 1481 | SubjectLogonId: 0x40f4aa 1482 | PrivilegeList: SeSecurityPrivilege 1483 | SeBackupPrivilege 1484 | SeRestorePrivilege 1485 | SeTakeOwnershipPrivilege 1486 | SeDebugPrivilege 1487 | SeSystemEnvironmentPrivilege 1488 | SeLoadDriverPrivilege 1489 | SeImpersonatePrivilege 1490 | SeDelegateSessionUserImpersonatePrivilege 1491 | SeEnableDelegationPrivilege 1492 | ------------------ 1493 | ------------------ 1494 | [NEW EVENT FOUND] 1495 | EventID: 4672 1496 | Description: Special privileges assigned to new logon. 1497 | Time Generated: 2024-06-11 19:48:37 1498 | SourceName: Microsoft-Windows-Security-Auditing 1499 | ComputerName: dc01.office.pwn 1500 | UserSid: None 1501 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-1104 1502 | SubjectUserName: васька@OFFICE 1503 | SubjectDomainName: OFFICE 1504 | SubjectLogonId: 0x40e4e5 1505 | PrivilegeList: 1506 | ------------------ 1507 | ------------------ 1508 | [NEW EVENT FOUND] 1509 | EventID: 4624 1510 | Description: An account was successfully logged on. 1511 | Time Generated: 2024-06-11 19:48:37 1512 | SourceName: Microsoft-Windows-Security-Auditing 1513 | ComputerName: dc01.office.pwn 1514 | UserSid: None 1515 | SubjectUserSid: S-1-5-18 1516 | SubjectUserName: DC01$ 1517 | SubjectDomainName: DC01$ 1518 | SubjectLogonId: 0x3e7 1519 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-1104 1520 | TargetUserName: васька@OFFICE 1521 | TargetDomainName: OFFICE 1522 | TargetLogonId: 0x40e5ab 1523 | LogonType: User32 1524 | LogonProcessName: Negotiate 1525 | AuthenticationPackageName: DC01 1526 | WorkstationName: {00000000-0000-0000-0000-000000000000} 1527 | LogonGuid: - 1528 | TransmittedServices: - 1529 | LmPackageName: 0 1530 | KeyLength: 0x94 1531 | ProcessId: C:\Windows\System32\svchost.exe 1532 | ProcessName: 127.0.0.1 1533 | IpAddress: 0 1534 | IpPort: %%1833 1535 | ImpersonationLevel: - 1536 | RestrictedAdminMode: - 1537 | TargetOutboundUserName: - 1538 | TargetOutboundDomainName: %%1843 1539 | VirtualAccount: 0x40e4e5 1540 | TargetLinkedLogonId: %%1843 1541 | ElevatedToken: 1542 | ------------------ 1543 | ------------------ 1544 | [NEW EVENT FOUND] 1545 | EventID: 4624 1546 | Description: An account was successfully logged on. 1547 | Time Generated: 2024-06-11 19:48:37 1548 | SourceName: Microsoft-Windows-Security-Auditing 1549 | ComputerName: dc01.office.pwn 1550 | UserSid: None 1551 | SubjectUserSid: S-1-5-18 1552 | SubjectUserName: DC01$ 1553 | SubjectDomainName: DC01$ 1554 | SubjectLogonId: 0x3e7 1555 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-1104 1556 | TargetUserName: васька@OFFICE 1557 | TargetDomainName: OFFICE 1558 | TargetLogonId: 0x40e4e5 1559 | LogonType: User32 1560 | LogonProcessName: Negotiate 1561 | AuthenticationPackageName: DC01 1562 | WorkstationName: {619E6237-6271-D62F-A8C2-A89B35EC7724} 1563 | LogonGuid: - 1564 | TransmittedServices: - 1565 | LmPackageName: 0 1566 | KeyLength: 0x94 1567 | ProcessId: C:\Windows\System32\svchost.exe 1568 | ProcessName: 127.0.0.1 1569 | IpAddress: 0 1570 | IpPort: %%1833 1571 | ImpersonationLevel: - 1572 | RestrictedAdminMode: - 1573 | TargetOutboundUserName: - 1574 | TargetOutboundDomainName: %%1843 1575 | VirtualAccount: 0x40e5ab 1576 | TargetLinkedLogonId: %%1842 1577 | ElevatedToken: 1578 | ------------------ 1579 | ------------------ 1580 | [NEW EVENT FOUND] 1581 | EventID: 4769 1582 | Description: A Kerberos service ticket (TGS) was requested. 1583 | Time Generated: 2024-06-11 19:48:37 1584 | SourceName: Microsoft-Windows-Security-Auditing 1585 | ComputerName: dc01.office.pwn 1586 | UserSid: None 1587 | TargetUserName: васька@@@OFFICE.PWN 1588 | TargetDomainName: OFFICE.PWN 1589 | ServiceName: OFFICE.PWN 1590 | ServiceName: DC01$ 1591 | ServiceSid: S-1-5-21-951999864-159825705-4220214313-1000 1592 | TicketOptions: 0x40810000 1593 | TicketEncryptionType: 0x12 1594 | IpAddress: ::1 1595 | IpPort: 0 1596 | Status: 0x0 1597 | LogonGuid: {619E6237-6271-D62F-A8C2-A89B35EC7724} 1598 | TransmittedServices: - 1599 | ------------------ 1600 | ------------------ 1601 | [NEW EVENT FOUND] 1602 | EventID: 4768 1603 | Description: A Kerberos authentication ticket (TGT) was requested. 1604 | Time Generated: 2024-06-11 19:48:37 1605 | SourceName: Microsoft-Windows-Security-Auditing 1606 | ComputerName: dc01.office.pwn 1607 | UserSid: None 1608 | TargetUserName: васька@OFFICE 1609 | TargetDomainName: OFFICE 1610 | TargetSid: S-1-5-21-951999864-159825705-4220214313-1104 1611 | ServiceName: krbtgt 1612 | ServiceSid: S-1-5-21-951999864-159825705-4220214313-502 1613 | TicketOptions: 0x40810010 1614 | Status: 0x0 1615 | TicketEncryptionType: 0x12 1616 | PreAuthType: 2 1617 | IpAddress: ::1 1618 | IpPort: 0 1619 | CertIssuerName: 1620 | CertSerialNumber: 1621 | CertThumbprint: 1622 | ------------------ 1623 | ------------------ 1624 | [NEW EVENT FOUND] 1625 | EventID: 4624 1626 | Description: An account was successfully logged on. 1627 | Time Generated: 2024-06-11 19:48:09 1628 | SourceName: Microsoft-Windows-Security-Auditing 1629 | ComputerName: dc01.office.pwn 1630 | UserSid: None 1631 | SubjectUserSid: S-1-0-0 1632 | SubjectUserName: - 1633 | SubjectDomainName: - 1634 | SubjectLogonId: 0x0 1635 | TargetUserSid: S-1-5-18 1636 | TargetUserName: DC01$ 1637 | TargetDomainName: DC01$ 1638 | TargetLogonId: 0x3d24e7 1639 | LogonType: 3 1640 | LogonProcessName: Kerberos 1641 | AuthenticationPackageName: Kerberos 1642 | WorkstationName: 1643 | LogonGuid: 1644 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 1645 | LmPackageName: - 1646 | KeyLength: - 1647 | ProcessId: 0 1648 | ProcessName: 0x0 1649 | IpAddress: - 1650 | IpPort: ::1 1651 | ImpersonationLevel: 49758 1652 | RestrictedAdminMode: %%1833 1653 | TargetOutboundUserName: - 1654 | TargetOutboundDomainName: - 1655 | VirtualAccount: - 1656 | TargetLinkedLogonId: %%1843 1657 | ElevatedToken: 0x0 1658 | ------------------ 1659 | ------------------ 1660 | [NEW EVENT FOUND] 1661 | EventID: 4672 1662 | Description: Special privileges assigned to new logon. 1663 | Time Generated: 2024-06-11 19:48:09 1664 | SourceName: Microsoft-Windows-Security-Auditing 1665 | ComputerName: dc01.office.pwn 1666 | UserSid: None 1667 | SubjectUserSid: S-1-5-18 1668 | SubjectUserName: DC01$ 1669 | SubjectDomainName: DC01$ 1670 | SubjectLogonId: 0x3d24e7 1671 | PrivilegeList: SeSecurityPrivilege 1672 | SeBackupPrivilege 1673 | SeRestorePrivilege 1674 | SeTakeOwnershipPrivilege 1675 | SeDebugPrivilege 1676 | SeSystemEnvironmentPrivilege 1677 | SeLoadDriverPrivilege 1678 | SeImpersonatePrivilege 1679 | SeDelegateSessionUserImpersonatePrivilege 1680 | SeEnableDelegationPrivilege 1681 | ------------------ 1682 | ------------------ 1683 | [NEW EVENT FOUND] 1684 | EventID: 4624 1685 | Description: An account was successfully logged on. 1686 | Time Generated: 2024-06-11 19:47:37 1687 | SourceName: Microsoft-Windows-Security-Auditing 1688 | ComputerName: dc01.office.pwn 1689 | UserSid: None 1690 | SubjectUserSid: S-1-0-0 1691 | SubjectUserName: - 1692 | SubjectDomainName: - 1693 | SubjectLogonId: 0x0 1694 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-500 1695 | TargetUserName: Администратор@OFFICE 1696 | TargetDomainName: OFFICE 1697 | TargetLogonId: 0x36cd4f 1698 | LogonType: NtLmSsp 1699 | LogonProcessName: NTLM 1700 | AuthenticationPackageName: 1701 | WorkstationName: 1702 | LogonGuid: {00000000-0000-0000-0000-000000000000} 1703 | TransmittedServices: - 1704 | LmPackageName: NTLM V2 1705 | KeyLength: 128 1706 | ProcessId: 0x0 1707 | ProcessName: - 1708 | IpAddress: 172.16.0.5 1709 | IpPort: 39700 1710 | ImpersonationLevel: %%1833 1711 | RestrictedAdminMode: - 1712 | TargetOutboundUserName: - 1713 | TargetOutboundDomainName: - 1714 | VirtualAccount: %%1843 1715 | TargetLinkedLogonId: 0x0 1716 | ElevatedToken: %%1842 1717 | ------------------ 1718 | ------------------ 1719 | [NEW EVENT FOUND] 1720 | EventID: 4672 1721 | Description: Special privileges assigned to new logon. 1722 | Time Generated: 2024-06-11 19:47:37 1723 | SourceName: Microsoft-Windows-Security-Auditing 1724 | ComputerName: dc01.office.pwn 1725 | UserSid: None 1726 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-500 1727 | SubjectUserName: Администратор@OFFICE 1728 | SubjectDomainName: OFFICE 1729 | SubjectLogonId: 0x36cd4f 1730 | PrivilegeList: 1731 | ------------------ 1732 | ------------------ 1733 | [NEW EVENT FOUND] 1734 | EventID: 4624 1735 | Description: An account was successfully logged on. 1736 | Time Generated: 2024-06-11 19:47:22 1737 | SourceName: Microsoft-Windows-Security-Auditing 1738 | ComputerName: dc01.office.pwn 1739 | UserSid: None 1740 | SubjectUserSid: S-1-0-0 1741 | SubjectUserName: - 1742 | SubjectDomainName: - 1743 | SubjectLogonId: 0x0 1744 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-1103 1745 | TargetUserName: dcom 1746 | TargetDomainName: dcom 1747 | TargetLogonId: 0x3477ae 1748 | LogonType: 3 1749 | LogonProcessName: Kerberos 1750 | AuthenticationPackageName: Kerberos 1751 | WorkstationName: 1752 | LogonGuid: 1753 | TransmittedServices: {E7D6B19D-3E05-8B6C-25F1-0C7C6A014EF0} 1754 | LmPackageName: - 1755 | KeyLength: - 1756 | ProcessId: 0 1757 | ProcessName: 0x0 1758 | IpAddress: - 1759 | IpPort: 172.16.0.4 1760 | ImpersonationLevel: 61639 1761 | RestrictedAdminMode: %%1833 1762 | TargetOutboundUserName: - 1763 | TargetOutboundDomainName: - 1764 | VirtualAccount: - 1765 | TargetLinkedLogonId: %%1843 1766 | ElevatedToken: 0x0 1767 | ------------------ 1768 | ------------------ 1769 | [NEW EVENT FOUND] 1770 | EventID: 4672 1771 | Description: Special privileges assigned to new logon. 1772 | Time Generated: 2024-06-11 19:47:22 1773 | SourceName: Microsoft-Windows-Security-Auditing 1774 | ComputerName: dc01.office.pwn 1775 | UserSid: None 1776 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-1103 1777 | SubjectUserName: dcom 1778 | SubjectDomainName: dcom 1779 | SubjectLogonId: 0x3477ae 1780 | PrivilegeList: SeSecurityPrivilege 1781 | SeBackupPrivilege 1782 | SeRestorePrivilege 1783 | SeTakeOwnershipPrivilege 1784 | SeDebugPrivilege 1785 | SeSystemEnvironmentPrivilege 1786 | SeLoadDriverPrivilege 1787 | SeImpersonatePrivilege 1788 | SeDelegateSessionUserImpersonatePrivilege 1789 | SeEnableDelegationPrivilege 1790 | ------------------ 1791 | ------------------ 1792 | [NEW EVENT FOUND] 1793 | EventID: 4624 1794 | Description: An account was successfully logged on. 1795 | Time Generated: 2024-06-11 19:47:22 1796 | SourceName: Microsoft-Windows-Security-Auditing 1797 | ComputerName: dc01.office.pwn 1798 | UserSid: None 1799 | SubjectUserSid: S-1-0-0 1800 | SubjectUserName: - 1801 | SubjectDomainName: - 1802 | SubjectLogonId: 0x0 1803 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-1103 1804 | TargetUserName: dcom 1805 | TargetDomainName: dcom 1806 | TargetLogonId: 0x34770d 1807 | LogonType: 3 1808 | LogonProcessName: Kerberos 1809 | AuthenticationPackageName: Kerberos 1810 | WorkstationName: 1811 | LogonGuid: 1812 | TransmittedServices: {E7D6B19D-3E05-8B6C-25F1-0C7C6A014EF0} 1813 | LmPackageName: - 1814 | KeyLength: - 1815 | ProcessId: 0 1816 | ProcessName: 0x0 1817 | IpAddress: - 1818 | IpPort: 172.16.0.4 1819 | ImpersonationLevel: 61637 1820 | RestrictedAdminMode: %%1833 1821 | TargetOutboundUserName: - 1822 | TargetOutboundDomainName: - 1823 | VirtualAccount: - 1824 | TargetLinkedLogonId: %%1843 1825 | ElevatedToken: 0x0 1826 | ------------------ 1827 | ------------------ 1828 | [NEW EVENT FOUND] 1829 | EventID: 4672 1830 | Description: Special privileges assigned to new logon. 1831 | Time Generated: 2024-06-11 19:47:22 1832 | SourceName: Microsoft-Windows-Security-Auditing 1833 | ComputerName: dc01.office.pwn 1834 | UserSid: None 1835 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-1103 1836 | SubjectUserName: dcom 1837 | SubjectDomainName: dcom 1838 | SubjectLogonId: 0x34770d 1839 | PrivilegeList: SeSecurityPrivilege 1840 | SeBackupPrivilege 1841 | SeRestorePrivilege 1842 | SeTakeOwnershipPrivilege 1843 | SeDebugPrivilege 1844 | SeSystemEnvironmentPrivilege 1845 | SeLoadDriverPrivilege 1846 | SeImpersonatePrivilege 1847 | SeDelegateSessionUserImpersonatePrivilege 1848 | SeEnableDelegationPrivilege 1849 | ------------------ 1850 | ------------------ 1851 | [NEW EVENT FOUND] 1852 | EventID: 4769 1853 | Description: A Kerberos service ticket (TGS) was requested. 1854 | Time Generated: 2024-06-11 19:47:22 1855 | SourceName: Microsoft-Windows-Security-Auditing 1856 | ComputerName: dc01.office.pwn 1857 | UserSid: None 1858 | TargetUserName: dcom@OFFICE.PWN 1859 | TargetDomainName: OFFICE.PWN 1860 | ServiceName: OFFICE.PWN 1861 | ServiceName: DC01$ 1862 | ServiceSid: S-1-5-21-951999864-159825705-4220214313-1000 1863 | TicketOptions: 0x40800000 1864 | TicketEncryptionType: 0x12 1865 | IpAddress: ::ffff:172.16.0.4 1866 | IpPort: 61638 1867 | Status: 0x0 1868 | LogonGuid: {6753957F-4545-D801-355C-0DF31DB07ED9} 1869 | TransmittedServices: - 1870 | ------------------ 1871 | ------------------ 1872 | [NEW EVENT FOUND] 1873 | EventID: 4624 1874 | Description: An account was successfully logged on. 1875 | Time Generated: 2024-06-11 19:47:22 1876 | SourceName: Microsoft-Windows-Security-Auditing 1877 | ComputerName: dc01.office.pwn 1878 | UserSid: None 1879 | SubjectUserSid: S-1-0-0 1880 | SubjectUserName: - 1881 | SubjectDomainName: - 1882 | SubjectLogonId: 0x0 1883 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-1103 1884 | TargetUserName: dcom 1885 | TargetDomainName: dcom 1886 | TargetLogonId: 0x347661 1887 | LogonType: 3 1888 | LogonProcessName: Kerberos 1889 | AuthenticationPackageName: Kerberos 1890 | WorkstationName: 1891 | LogonGuid: 1892 | TransmittedServices: {E7D6B19D-3E05-8B6C-25F1-0C7C6A014EF0} 1893 | LmPackageName: - 1894 | KeyLength: - 1895 | ProcessId: 0 1896 | ProcessName: 0x0 1897 | IpAddress: - 1898 | IpPort: 172.16.0.4 1899 | ImpersonationLevel: 61633 1900 | RestrictedAdminMode: %%1833 1901 | TargetOutboundUserName: - 1902 | TargetOutboundDomainName: - 1903 | VirtualAccount: - 1904 | TargetLinkedLogonId: %%1843 1905 | ElevatedToken: 0x0 1906 | ------------------ 1907 | ------------------ 1908 | [NEW EVENT FOUND] 1909 | EventID: 4672 1910 | Description: Special privileges assigned to new logon. 1911 | Time Generated: 2024-06-11 19:47:22 1912 | SourceName: Microsoft-Windows-Security-Auditing 1913 | ComputerName: dc01.office.pwn 1914 | UserSid: None 1915 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-1103 1916 | SubjectUserName: dcom 1917 | SubjectDomainName: dcom 1918 | SubjectLogonId: 0x347661 1919 | PrivilegeList: SeSecurityPrivilege 1920 | SeBackupPrivilege 1921 | SeRestorePrivilege 1922 | SeTakeOwnershipPrivilege 1923 | SeDebugPrivilege 1924 | SeSystemEnvironmentPrivilege 1925 | SeLoadDriverPrivilege 1926 | SeImpersonatePrivilege 1927 | SeDelegateSessionUserImpersonatePrivilege 1928 | SeEnableDelegationPrivilege 1929 | ------------------ 1930 | ------------------ 1931 | [NEW EVENT FOUND] 1932 | EventID: 4769 1933 | Description: A Kerberos service ticket (TGS) was requested. 1934 | Time Generated: 2024-06-11 19:47:22 1935 | SourceName: Microsoft-Windows-Security-Auditing 1936 | ComputerName: dc01.office.pwn 1937 | UserSid: None 1938 | TargetUserName: dcom@OFFICE.PWN 1939 | TargetDomainName: OFFICE.PWN 1940 | ServiceName: OFFICE.PWN 1941 | ServiceName: DC01$ 1942 | ServiceSid: S-1-5-21-951999864-159825705-4220214313-1000 1943 | TicketOptions: 0x40810000 1944 | TicketEncryptionType: 0x12 1945 | IpAddress: ::ffff:172.16.0.4 1946 | IpPort: 61636 1947 | Status: 0x0 1948 | LogonGuid: {6753957F-4545-D801-355C-0DF31DB07ED9} 1949 | TransmittedServices: - 1950 | ------------------ 1951 | ------------------ 1952 | [NEW EVENT FOUND] 1953 | EventID: 4768 1954 | Description: A Kerberos authentication ticket (TGT) was requested. 1955 | Time Generated: 2024-06-11 19:47:22 1956 | SourceName: Microsoft-Windows-Security-Auditing 1957 | ComputerName: dc01.office.pwn 1958 | UserSid: None 1959 | TargetUserName: dcom 1960 | TargetDomainName: dcom 1961 | TargetSid: OFFICE.PWN 1962 | ServiceName: krbtgt 1963 | ServiceSid: krbtgt 1964 | TicketOptions: S-1-5-21-951999864-159825705-4220214313-502 1965 | Status: 0x40810010 1966 | TicketEncryptionType: 0x0 1967 | PreAuthType: 0x12 1968 | IpAddress: 2 1969 | IpPort: ::ffff:172.16.0.4 1970 | CertIssuerName: 61635 1971 | CertSerialNumber: 1972 | CertThumbprint: 1973 | ------------------ 1974 | ------------------ 1975 | [NEW EVENT FOUND] 1976 | EventID: 4768 1977 | Description: A Kerberos authentication ticket (TGT) was requested. 1978 | Time Generated: 2024-06-11 19:47:22 1979 | SourceName: Microsoft-Windows-Security-Auditing 1980 | ComputerName: dc01.office.pwn 1981 | UserSid: None 1982 | TargetUserName: dcom 1983 | TargetDomainName: dcom 1984 | TargetSid: OFFICE.PWN 1985 | ServiceName: krbtgt 1986 | ServiceSid: krbtgt 1987 | TicketOptions: S-1-5-21-951999864-159825705-4220214313-502 1988 | Status: 0x40810010 1989 | TicketEncryptionType: 0x0 1990 | PreAuthType: 0x12 1991 | IpAddress: 2 1992 | IpPort: ::ffff:172.16.0.4 1993 | CertIssuerName: 61632 1994 | CertSerialNumber: 1995 | CertThumbprint: 1996 | ------------------ 1997 | ------------------ 1998 | [NEW EVENT FOUND] 1999 | EventID: 4769 2000 | Description: A Kerberos service ticket (TGS) was requested. 2001 | Time Generated: 2024-06-11 19:47:21 2002 | SourceName: Microsoft-Windows-Security-Auditing 2003 | ComputerName: dc01.office.pwn 2004 | UserSid: None 2005 | TargetUserName: dcom@OFFICE.PWN 2006 | TargetDomainName: OFFICE.PWN 2007 | ServiceName: OFFICE.PWN 2008 | ServiceName: WIN11$ 2009 | ServiceSid: S-1-5-21-951999864-159825705-4220214313-1105 2010 | TicketOptions: 0x40810000 2011 | TicketEncryptionType: 0x12 2012 | IpAddress: ::ffff:172.16.0.4 2013 | IpPort: 61627 2014 | Status: 0x0 2015 | LogonGuid: {38BE4ECF-E535-6E32-4EB0-EE9669864283} 2016 | TransmittedServices: - 2017 | ------------------ 2018 | ------------------ 2019 | [NEW EVENT FOUND] 2020 | EventID: 4768 2021 | Description: A Kerberos authentication ticket (TGT) was requested. 2022 | Time Generated: 2024-06-11 19:47:21 2023 | SourceName: Microsoft-Windows-Security-Auditing 2024 | ComputerName: dc01.office.pwn 2025 | UserSid: None 2026 | TargetUserName: dcom 2027 | TargetDomainName: dcom 2028 | TargetSid: OFFICE 2029 | ServiceName: krbtgt 2030 | ServiceSid: krbtgt 2031 | TicketOptions: S-1-5-21-951999864-159825705-4220214313-502 2032 | Status: 0x40810010 2033 | TicketEncryptionType: 0x0 2034 | PreAuthType: 0x12 2035 | IpAddress: 2 2036 | IpPort: ::ffff:172.16.0.4 2037 | CertIssuerName: 61626 2038 | CertSerialNumber: 2039 | CertThumbprint: 2040 | ------------------ 2041 | ------------------ 2042 | [NEW EVENT FOUND] 2043 | EventID: 4624 2044 | Description: An account was successfully logged on. 2045 | Time Generated: 2024-06-11 19:47:09 2046 | SourceName: Microsoft-Windows-Security-Auditing 2047 | ComputerName: dc01.office.pwn 2048 | UserSid: None 2049 | SubjectUserSid: S-1-0-0 2050 | SubjectUserName: - 2051 | SubjectDomainName: - 2052 | SubjectLogonId: 0x0 2053 | TargetUserSid: S-1-5-18 2054 | TargetUserName: DC01$ 2055 | TargetDomainName: DC01$ 2056 | TargetLogonId: 0x336bdd 2057 | LogonType: 3 2058 | LogonProcessName: Kerberos 2059 | AuthenticationPackageName: Kerberos 2060 | WorkstationName: 2061 | LogonGuid: 2062 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 2063 | LmPackageName: - 2064 | KeyLength: - 2065 | ProcessId: 0 2066 | ProcessName: 0x0 2067 | IpAddress: - 2068 | IpPort: ::1 2069 | ImpersonationLevel: 49757 2070 | RestrictedAdminMode: %%1833 2071 | TargetOutboundUserName: - 2072 | TargetOutboundDomainName: - 2073 | VirtualAccount: - 2074 | TargetLinkedLogonId: %%1843 2075 | ElevatedToken: 0x0 2076 | ------------------ 2077 | ------------------ 2078 | [NEW EVENT FOUND] 2079 | EventID: 4672 2080 | Description: Special privileges assigned to new logon. 2081 | Time Generated: 2024-06-11 19:47:09 2082 | SourceName: Microsoft-Windows-Security-Auditing 2083 | ComputerName: dc01.office.pwn 2084 | UserSid: None 2085 | SubjectUserSid: S-1-5-18 2086 | SubjectUserName: DC01$ 2087 | SubjectDomainName: DC01$ 2088 | SubjectLogonId: 0x336bdd 2089 | PrivilegeList: SeSecurityPrivilege 2090 | SeBackupPrivilege 2091 | SeRestorePrivilege 2092 | SeTakeOwnershipPrivilege 2093 | SeDebugPrivilege 2094 | SeSystemEnvironmentPrivilege 2095 | SeLoadDriverPrivilege 2096 | SeImpersonatePrivilege 2097 | SeDelegateSessionUserImpersonatePrivilege 2098 | SeEnableDelegationPrivilege 2099 | ------------------ 2100 | ------------------ 2101 | [NEW EVENT FOUND] 2102 | EventID: 4624 2103 | Description: An account was successfully logged on. 2104 | Time Generated: 2024-06-11 19:46:27 2105 | SourceName: Microsoft-Windows-Security-Auditing 2106 | ComputerName: dc01.office.pwn 2107 | UserSid: None 2108 | SubjectUserSid: S-1-0-0 2109 | SubjectUserName: - 2110 | SubjectDomainName: - 2111 | SubjectLogonId: 0x0 2112 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-500 2113 | TargetUserName: Администратор@OFFICE 2114 | TargetDomainName: OFFICE 2115 | TargetLogonId: 0x29c085 2116 | LogonType: NtLmSsp 2117 | LogonProcessName: NTLM 2118 | AuthenticationPackageName: 2119 | WorkstationName: 2120 | LogonGuid: {00000000-0000-0000-0000-000000000000} 2121 | TransmittedServices: - 2122 | LmPackageName: NTLM V2 2123 | KeyLength: 128 2124 | ProcessId: 0x0 2125 | ProcessName: - 2126 | IpAddress: 172.16.0.5 2127 | IpPort: 49198 2128 | ImpersonationLevel: %%1833 2129 | RestrictedAdminMode: - 2130 | TargetOutboundUserName: - 2131 | TargetOutboundDomainName: - 2132 | VirtualAccount: %%1843 2133 | TargetLinkedLogonId: 0x0 2134 | ElevatedToken: %%1842 2135 | ------------------ 2136 | ------------------ 2137 | [NEW EVENT FOUND] 2138 | EventID: 4672 2139 | Description: Special privileges assigned to new logon. 2140 | Time Generated: 2024-06-11 19:46:27 2141 | SourceName: Microsoft-Windows-Security-Auditing 2142 | ComputerName: dc01.office.pwn 2143 | UserSid: None 2144 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-500 2145 | SubjectUserName: Администратор@OFFICE 2146 | SubjectDomainName: OFFICE 2147 | SubjectLogonId: 0x29c085 2148 | PrivilegeList: 2149 | ------------------ 2150 | ------------------ 2151 | [NEW EVENT FOUND] 2152 | EventID: 4624 2153 | Description: An account was successfully logged on. 2154 | Time Generated: 2024-06-11 19:46:10 2155 | SourceName: Microsoft-Windows-Security-Auditing 2156 | ComputerName: dc01.office.pwn 2157 | UserSid: None 2158 | SubjectUserSid: S-1-0-0 2159 | SubjectUserName: - 2160 | SubjectDomainName: - 2161 | SubjectLogonId: 0x0 2162 | TargetUserSid: S-1-5-18 2163 | TargetUserName: DC01$ 2164 | TargetDomainName: DC01$ 2165 | TargetLogonId: 0x264cd6 2166 | LogonType: 3 2167 | LogonProcessName: Kerberos 2168 | AuthenticationPackageName: Kerberos 2169 | WorkstationName: 2170 | LogonGuid: 2171 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 2172 | LmPackageName: - 2173 | KeyLength: - 2174 | ProcessId: 0 2175 | ProcessName: 0x0 2176 | IpAddress: - 2177 | IpPort: ::1 2178 | ImpersonationLevel: 49755 2179 | RestrictedAdminMode: %%1833 2180 | TargetOutboundUserName: - 2181 | TargetOutboundDomainName: - 2182 | VirtualAccount: - 2183 | TargetLinkedLogonId: %%1843 2184 | ElevatedToken: 0x0 2185 | ------------------ 2186 | ------------------ 2187 | [NEW EVENT FOUND] 2188 | EventID: 4672 2189 | Description: Special privileges assigned to new logon. 2190 | Time Generated: 2024-06-11 19:46:10 2191 | SourceName: Microsoft-Windows-Security-Auditing 2192 | ComputerName: dc01.office.pwn 2193 | UserSid: None 2194 | SubjectUserSid: S-1-5-18 2195 | SubjectUserName: DC01$ 2196 | SubjectDomainName: DC01$ 2197 | SubjectLogonId: 0x264cd6 2198 | PrivilegeList: SeSecurityPrivilege 2199 | SeBackupPrivilege 2200 | SeRestorePrivilege 2201 | SeTakeOwnershipPrivilege 2202 | SeDebugPrivilege 2203 | SeSystemEnvironmentPrivilege 2204 | SeLoadDriverPrivilege 2205 | SeImpersonatePrivilege 2206 | SeDelegateSessionUserImpersonatePrivilege 2207 | SeEnableDelegationPrivilege 2208 | ------------------ 2209 | ------------------ 2210 | [NEW EVENT FOUND] 2211 | EventID: 4624 2212 | Description: An account was successfully logged on. 2213 | Time Generated: 2024-06-11 19:45:36 2214 | SourceName: Microsoft-Windows-Security-Auditing 2215 | ComputerName: dc01.office.pwn 2216 | UserSid: None 2217 | SubjectUserSid: S-1-0-0 2218 | SubjectUserName: - 2219 | SubjectDomainName: - 2220 | SubjectLogonId: 0x0 2221 | TargetUserSid: S-1-5-21-951999864-159825705-4220214313-1103 2222 | TargetUserName: dcom 2223 | TargetDomainName: dcom 2224 | TargetLogonId: 0x216727 2225 | LogonType: 3 2226 | LogonProcessName: NtLmSsp 2227 | AuthenticationPackageName: NTLM 2228 | WorkstationName: 2229 | LogonGuid: 2230 | TransmittedServices: {00000000-0000-0000-0000-000000000000} 2231 | LmPackageName: - 2232 | KeyLength: NTLM V2 2233 | ProcessId: 128 2234 | ProcessName: 0x0 2235 | IpAddress: - 2236 | IpPort: 172.16.0.5 2237 | ImpersonationLevel: 55854 2238 | RestrictedAdminMode: %%1833 2239 | TargetOutboundUserName: - 2240 | TargetOutboundDomainName: - 2241 | VirtualAccount: - 2242 | TargetLinkedLogonId: %%1843 2243 | ElevatedToken: 0x0 2244 | ------------------ 2245 | ------------------ 2246 | [NEW EVENT FOUND] 2247 | EventID: 4672 2248 | Description: Special privileges assigned to new logon. 2249 | Time Generated: 2024-06-11 19:45:36 2250 | SourceName: Microsoft-Windows-Security-Auditing 2251 | ComputerName: dc01.office.pwn 2252 | UserSid: None 2253 | SubjectUserSid: S-1-5-21-951999864-159825705-4220214313-1103 2254 | SubjectUserName: dcom 2255 | SubjectDomainName: dcom 2256 | SubjectLogonId: 0x216727 2257 | PrivilegeList: SeSecurityPrivilege 2258 | SeBackupPrivilege 2259 | SeRestorePrivilege 2260 | SeTakeOwnershipPrivilege 2261 | SeDebugPrivilege 2262 | SeSystemEnvironmentPrivilege 2263 | SeLoadDriverPrivilege 2264 | SeImpersonatePrivilege 2265 | SeDelegateSessionUserImpersonatePrivilege 2266 | SeEnableDelegationPrivilege 2267 | ------------------ 2268 | ------------------ 2269 | [NEW EVENT FOUND] 2270 | EventID: 4624 2271 | Description: An account was successfully logged on. 2272 | Time Generated: 2024-06-11 19:45:19 2273 | SourceName: Microsoft-Windows-Security-Auditing 2274 | ComputerName: dc01.office.pwn 2275 | UserSid: None 2276 | SubjectUserSid: S-1-0-0 2277 | SubjectUserName: - 2278 | SubjectDomainName: - 2279 | SubjectLogonId: 0x0 2280 | TargetUserSid: S-1-5-18 2281 | TargetUserName: DC01$ 2282 | TargetDomainName: DC01$ 2283 | TargetLogonId: 0x1c5911 2284 | LogonType: 3 2285 | LogonProcessName: Kerberos 2286 | AuthenticationPackageName: Kerberos 2287 | WorkstationName: 2288 | LogonGuid: 2289 | TransmittedServices: {38771484-4120-995A-2EB0-77D963C17FD5} 2290 | LmPackageName: - 2291 | KeyLength: - 2292 | ProcessId: 0 2293 | ProcessName: 0x0 2294 | IpAddress: - 2295 | IpPort: fe80::e9a0:667c:84a3:6f47 2296 | ImpersonationLevel: 49753 2297 | RestrictedAdminMode: %%1840 2298 | TargetOutboundUserName: - 2299 | TargetOutboundDomainName: - 2300 | VirtualAccount: - 2301 | TargetLinkedLogonId: %%1843 2302 | ElevatedToken: 0x0 2303 | ------------------ 2304 | ------------------ 2305 | [NEW EVENT FOUND] 2306 | EventID: 4672 2307 | Description: Special privileges assigned to new logon. 2308 | Time Generated: 2024-06-11 19:45:19 2309 | SourceName: Microsoft-Windows-Security-Auditing 2310 | ComputerName: dc01.office.pwn 2311 | UserSid: None 2312 | SubjectUserSid: S-1-5-18 2313 | SubjectUserName: DC01$ 2314 | SubjectDomainName: DC01$ 2315 | SubjectLogonId: 0x1c5911 2316 | PrivilegeList: SeSecurityPrivilege 2317 | SeBackupPrivilege 2318 | SeRestorePrivilege 2319 | SeTakeOwnershipPrivilege 2320 | SeDebugPrivilege 2321 | SeSystemEnvironmentPrivilege 2322 | SeLoadDriverPrivilege 2323 | SeImpersonatePrivilege 2324 | SeDelegateSessionUserImpersonatePrivilege 2325 | SeEnableDelegationPrivilege 2326 | ------------------ 2327 | ------------------ 2328 | [NEW EVENT FOUND] 2329 | EventID: 4624 2330 | Description: An account was successfully logged on. 2331 | Time Generated: 2024-06-11 19:45:19 2332 | SourceName: Microsoft-Windows-Security-Auditing 2333 | ComputerName: dc01.office.pwn 2334 | UserSid: None 2335 | SubjectUserSid: S-1-0-0 2336 | SubjectUserName: - 2337 | SubjectDomainName: - 2338 | SubjectLogonId: 0x0 2339 | TargetUserSid: S-1-5-18 2340 | TargetUserName: DC01$ 2341 | TargetDomainName: DC01$ 2342 | TargetLogonId: 0x1c4d2d 2343 | LogonType: 3 2344 | LogonProcessName: Kerberos 2345 | AuthenticationPackageName: Kerberos 2346 | WorkstationName: 2347 | LogonGuid: 2348 | TransmittedServices: {38771484-4120-995A-2EB0-77D963C17FD5} 2349 | LmPackageName: - 2350 | KeyLength: - 2351 | ProcessId: 0 2352 | ProcessName: 0x0 2353 | IpAddress: - 2354 | IpPort: 172.16.0.3 2355 | ImpersonationLevel: 49752 2356 | RestrictedAdminMode: %%1833 2357 | TargetOutboundUserName: - 2358 | TargetOutboundDomainName: - 2359 | VirtualAccount: - 2360 | TargetLinkedLogonId: %%1843 2361 | ElevatedToken: 0x0 2362 | ------------------ 2363 | ------------------ 2364 | [NEW EVENT FOUND] 2365 | EventID: 4672 2366 | Description: Special privileges assigned to new logon. 2367 | Time Generated: 2024-06-11 19:45:19 2368 | SourceName: Microsoft-Windows-Security-Auditing 2369 | ComputerName: dc01.office.pwn 2370 | UserSid: None 2371 | SubjectUserSid: S-1-5-18 2372 | SubjectUserName: DC01$ 2373 | SubjectDomainName: DC01$ 2374 | SubjectLogonId: 0x1c4d2d 2375 | PrivilegeList: SeSecurityPrivilege 2376 | SeBackupPrivilege 2377 | SeRestorePrivilege 2378 | SeTakeOwnershipPrivilege 2379 | SeDebugPrivilege 2380 | SeSystemEnvironmentPrivilege 2381 | SeLoadDriverPrivilege 2382 | SeImpersonatePrivilege 2383 | SeDelegateSessionUserImpersonatePrivilege 2384 | SeEnableDelegationPrivilege 2385 | ------------------ 2386 | ------------------ 2387 | [NEW EVENT FOUND] 2388 | EventID: 4624 2389 | Description: An account was successfully logged on. 2390 | Time Generated: 2024-06-11 19:45:19 2391 | SourceName: Microsoft-Windows-Security-Auditing 2392 | ComputerName: dc01.office.pwn 2393 | UserSid: None 2394 | SubjectUserSid: S-1-0-0 2395 | SubjectUserName: - 2396 | SubjectDomainName: - 2397 | SubjectLogonId: 0x0 2398 | TargetUserSid: S-1-5-18 2399 | TargetUserName: DC01$ 2400 | TargetDomainName: DC01$ 2401 | TargetLogonId: 0x1c4c6a 2402 | LogonType: 3 2403 | LogonProcessName: Kerberos 2404 | AuthenticationPackageName: Kerberos 2405 | WorkstationName: 2406 | LogonGuid: 2407 | TransmittedServices: {4D1692A3-E22B-D612-1043-DC1C0FCE5D9C} 2408 | LmPackageName: - 2409 | KeyLength: - 2410 | ProcessId: 0 2411 | ProcessName: 0x0 2412 | IpAddress: - 2413 | IpPort: ::1 2414 | ImpersonationLevel: 0 2415 | RestrictedAdminMode: %%1833 2416 | TargetOutboundUserName: - 2417 | TargetOutboundDomainName: - 2418 | VirtualAccount: - 2419 | TargetLinkedLogonId: %%1843 2420 | ElevatedToken: 0x0 2421 | ------------------ 2422 | ------------------ 2423 | [NEW EVENT FOUND] 2424 | EventID: 4672 2425 | Description: Special privileges assigned to new logon. 2426 | Time Generated: 2024-06-11 19:45:19 2427 | SourceName: Microsoft-Windows-Security-Auditing 2428 | ComputerName: dc01.office.pwn 2429 | UserSid: None 2430 | SubjectUserSid: S-1-5-18 2431 | SubjectUserName: DC01$ 2432 | SubjectDomainName: DC01$ 2433 | SubjectLogonId: 0x1c4c6a 2434 | PrivilegeList: SeSecurityPrivilege 2435 | SeBackupPrivilege 2436 | SeRestorePrivilege 2437 | SeTakeOwnershipPrivilege 2438 | SeDebugPrivilege 2439 | SeSystemEnvironmentPrivilege 2440 | SeLoadDriverPrivilege 2441 | SeImpersonatePrivilege 2442 | SeDelegateSessionUserImpersonatePrivilege 2443 | SeEnableDelegationPrivilege 2444 | ------------------ 2445 | ------------------ 2446 | [NEW EVENT FOUND] 2447 | EventID: 4624 2448 | Description: An account was successfully logged on. 2449 | Time Generated: 2024-06-11 19:45:19 2450 | SourceName: Microsoft-Windows-Security-Auditing 2451 | ComputerName: dc01.office.pwn 2452 | UserSid: None 2453 | SubjectUserSid: S-1-0-0 2454 | SubjectUserName: - 2455 | SubjectDomainName: - 2456 | SubjectLogonId: 0x0 2457 | TargetUserSid: S-1-5-18 2458 | TargetUserName: DC01$ 2459 | TargetDomainName: DC01$ 2460 | TargetLogonId: 0x1c4ade 2461 | LogonType: 3 2462 | LogonProcessName: Kerberos 2463 | AuthenticationPackageName: Kerberos 2464 | WorkstationName: 2465 | LogonGuid: 2466 | TransmittedServices: {38771484-4120-995A-2EB0-77D963C17FD5} 2467 | LmPackageName: - 2468 | KeyLength: - 2469 | ProcessId: 0 2470 | ProcessName: 0x0 2471 | IpAddress: - 2472 | IpPort: fe80::e9a0:667c:84a3:6f47 2473 | ImpersonationLevel: 49751 2474 | RestrictedAdminMode: %%1833 2475 | TargetOutboundUserName: - 2476 | TargetOutboundDomainName: - 2477 | VirtualAccount: - 2478 | TargetLinkedLogonId: %%1843 2479 | ElevatedToken: 0x0 2480 | ------------------ 2481 | ------------------ 2482 | [NEW EVENT FOUND] 2483 | EventID: 4672 2484 | Description: Special privileges assigned to new logon. 2485 | Time Generated: 2024-06-11 19:45:19 2486 | SourceName: Microsoft-Windows-Security-Auditing 2487 | ComputerName: dc01.office.pwn 2488 | UserSid: None 2489 | SubjectUserSid: S-1-5-18 2490 | SubjectUserName: DC01$ 2491 | SubjectDomainName: DC01$ 2492 | SubjectLogonId: 0x1c4ade 2493 | PrivilegeList: SeSecurityPrivilege 2494 | SeBackupPrivilege 2495 | SeRestorePrivilege 2496 | SeTakeOwnershipPrivilege 2497 | SeDebugPrivilege 2498 | SeSystemEnvironmentPrivilege 2499 | SeLoadDriverPrivilege 2500 | SeImpersonatePrivilege 2501 | SeDelegateSessionUserImpersonatePrivilege 2502 | SeEnableDelegationPrivilege 2503 | ------------------ 2504 | ------------------ 2505 | [NEW EVENT FOUND] 2506 | EventID: 4624 2507 | Description: An account was successfully logged on. 2508 | Time Generated: 2024-06-11 19:45:12 2509 | SourceName: Microsoft-Windows-Security-Auditing 2510 | ComputerName: dc01.office.pwn 2511 | UserSid: None 2512 | SubjectUserSid: S-1-0-0 2513 | SubjectUserName: - 2514 | SubjectDomainName: - 2515 | SubjectLogonId: 0x0 2516 | TargetUserSid: S-1-5-18 2517 | TargetUserName: DC01$ 2518 | TargetDomainName: DC01$ 2519 | TargetLogonId: 0x194218 2520 | LogonType: 3 2521 | LogonProcessName: Kerberos 2522 | AuthenticationPackageName: Kerberos 2523 | WorkstationName: 2524 | LogonGuid: 2525 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 2526 | LmPackageName: - 2527 | KeyLength: - 2528 | ProcessId: 0 2529 | ProcessName: 0x0 2530 | IpAddress: - 2531 | IpPort: fe80::e9a0:667c:84a3:6f47 2532 | ImpersonationLevel: 49750 2533 | RestrictedAdminMode: %%1833 2534 | TargetOutboundUserName: - 2535 | TargetOutboundDomainName: - 2536 | VirtualAccount: - 2537 | TargetLinkedLogonId: %%1843 2538 | ElevatedToken: 0x0 2539 | ------------------ 2540 | ------------------ 2541 | [NEW EVENT FOUND] 2542 | EventID: 4672 2543 | Description: Special privileges assigned to new logon. 2544 | Time Generated: 2024-06-11 19:45:12 2545 | SourceName: Microsoft-Windows-Security-Auditing 2546 | ComputerName: dc01.office.pwn 2547 | UserSid: None 2548 | SubjectUserSid: S-1-5-18 2549 | SubjectUserName: DC01$ 2550 | SubjectDomainName: DC01$ 2551 | SubjectLogonId: 0x194218 2552 | PrivilegeList: SeSecurityPrivilege 2553 | SeBackupPrivilege 2554 | SeRestorePrivilege 2555 | SeTakeOwnershipPrivilege 2556 | SeDebugPrivilege 2557 | SeSystemEnvironmentPrivilege 2558 | SeLoadDriverPrivilege 2559 | SeImpersonatePrivilege 2560 | SeDelegateSessionUserImpersonatePrivilege 2561 | SeEnableDelegationPrivilege 2562 | ------------------ 2563 | ------------------ 2564 | [NEW EVENT FOUND] 2565 | EventID: 4624 2566 | Description: An account was successfully logged on. 2567 | Time Generated: 2024-06-11 19:45:12 2568 | SourceName: Microsoft-Windows-Security-Auditing 2569 | ComputerName: dc01.office.pwn 2570 | UserSid: None 2571 | SubjectUserSid: S-1-0-0 2572 | SubjectUserName: - 2573 | SubjectDomainName: - 2574 | SubjectLogonId: 0x0 2575 | TargetUserSid: S-1-5-18 2576 | TargetUserName: DC01$ 2577 | TargetDomainName: DC01$ 2578 | TargetLogonId: 0x194036 2579 | LogonType: 3 2580 | LogonProcessName: Kerberos 2581 | AuthenticationPackageName: Kerberos 2582 | WorkstationName: 2583 | LogonGuid: 2584 | TransmittedServices: {0392D0FD-9C5C-5098-49D9-52405435C300} 2585 | LmPackageName: - 2586 | KeyLength: - 2587 | ProcessId: 0 2588 | ProcessName: 0x0 2589 | IpAddress: - 2590 | IpPort: fe80::e9a0:667c:84a3:6f47 2591 | ImpersonationLevel: 49749 2592 | RestrictedAdminMode: %%1833 2593 | TargetOutboundUserName: - 2594 | TargetOutboundDomainName: - 2595 | VirtualAccount: - 2596 | TargetLinkedLogonId: %%1843 2597 | ElevatedToken: 0x0 2598 | ------------------ 2599 | -------------------------------------------------------------------------------- /find.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "$#" -ne 4 ]; then 4 | echo "Usage: $0 -file events.log -searchkeyword " 5 | exit 1 6 | fi 7 | 8 | while [ "$#" -gt 0 ]; do 9 | case "$1" in 10 | -file) 11 | FILE="$2" 12 | shift 2 13 | ;; 14 | -searchkeyword) 15 | KEYWORD="$2" 16 | shift 2 17 | ;; 18 | *) 19 | echo "Invalid option: $1" >&2 20 | echo "Usage: $0 -file events.log -searchkeyword " 21 | exit 1 22 | ;; 23 | esac 24 | done 25 | 26 | if [ -z "$FILE" ] || [ -z "$KEYWORD" ]; then 27 | echo "Both -file and -searchkeyword options must be provided" 28 | echo "Usage: $0 -file events.log -searchkeyword " 29 | exit 1 30 | fi 31 | 32 | awk -v keyword="$KEYWORD" ' 33 | /^\[NEW EVENT FOUND\]/ { if (event ~ keyword) print event; event = "" } 34 | { event = event $0 "\n" } 35 | END { if (event ~ keyword) print event } 36 | ' "$FILE" 37 | --------------------------------------------------------------------------------