Security ID Account Name Account Domain Logon ID Logon Information: Logon Type: See below Remaining logon information fields are new to Windows 10/2016 Restricted Admin Mode: Normally "-"."Yes" for incoming Remote Desktop Connections where the client specified /restrictedAdmin on the command ...
Logon Type: 5 New Logon: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2ac Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: ...
Event ID 4624 (viewed in Windows Event Viewer) documents every successful attempt at logging on to a local computer. This event is generated on the computer that was accessed, in other words, where the logon session was created. A related event,Event ID 4625documents failed logon attempts...
Logon Type: 3 Impersonation Level: Delegation New Logon: Security ID: S-1-5-21-3803837968-1534464277-3267097699-47311 Account Name: L-3PLHH92$ Account Domain: CORP Logon ID: 0x15B72B10B Logon GUID: {07261433-bae2-c8ef-34e8-4aa451c95ab9} Process Information: Process ID: 0x0 Process...
Description Fields in 4634 Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Logon Type: %5 Supercharger Enterprise Examples of 4634 An account was logged off. Subject: Security ID: ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Log...
Event ID 4624 null sid An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: SYSTEM Account Name: MyPC$ Account Domain: MyDomain ...
Event ID: 4624 Source: Security Category: Logon/Logoff Message: An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WORKSTATION123$ Account Domain: CORPDOMAIN Logon ID: 0x3e7 Logon Type: 7
eventtype=wineventlog_security EventCode=4624LogonType=3LogonProcessName=Kerberos Security_ID IN("*-500")| eval Account_Domain=mvindex(Account_Domain,1)| eval Security_ID=mvindex(Security_ID,1)|stats earliest(_time) AS start_time latest(_time) AS end_time count by EventCode LogonProcess...
日志记录EventID 4624:帐户已成功登录。 3、逻辑1 -未经授权的内部RDP连接 WhereDetected use of RDP EventID with Logon type 10 (RemoteInteractive) OR Dest Port = 3389ANDSource is not an authorized user of RDP 4、逻辑2 -未经授权的RDP进出网络 5.3 未经授权的SMB活动 1、理论 SMB是windows网络中不...
$logs = get-eventlog system -ComputerName <name of the monitored computer> -source Microsoft-Windows-Winlogon -After (Get-Date).AddDays(-7); $res = @(); ForEach ($log in $logs) {if($log.instanceid -eq 7001) {$type = "Logon"} Elseif ($log.instanceid -eq 7002){$type="Logof...