Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Event Logs in Eventvwr. Something to be concerned about?


  • Please log in to reply
2 replies to this topic

#1 Thelps

Thelps

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 PM

Posted 31 May 2016 - 02:49 PM

Following is the Eventvwr event log, which occurs multiple times per day, quite frequently. The Account name has been changed.

 

The PID indicates Local Security Authority Process with sub-services of CNG Key IsolationEncrypting File System (ESF) and Security Accounts Manager.

 

--------------------------------------------------------------------------------------

 
An account was successfully logged on.
 
Subject:
Security ID: SYSTEM
Account Name: PCNAME$
Account Domain: WORKGROUP
Logon ID: 0x3E7
 
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
 
Impersonation Level: Impersonation
 
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
 
Process Information:
Process ID: 0x2d8
Process Name: C:\Windows\System32\services.exe
 
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
 
Detailed Authentication Information:
Logon Process: Advapi  
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
 
This event is generated when a logon session is created. It is generated on the computer that was accessed.
 
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
 
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
 
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
 
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
 
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
 
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
 
-------------------------------------------------------------------------------------------------------

 

 It's always Advapi.exe.

 

Is this normal behavior or something to be concerned about? My knowledge of Eventvwr is limited. Even if this is normal behavior, what is the cause of this log event?

 

Is there some way I could confirm the cause of these logs?

 

Much appreciated and regards.


Edited by Thelps, 31 May 2016 - 02:50 PM.


BC AdBot (Login to Remove)

 


#2 PhotoAce

PhotoAce

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:05:07 AM

Posted 31 May 2016 - 03:45 PM

Didier Stevens answered your query in your other thread.

 

http://www.bleepingcomputer.com/forums/t/615907/suspicious-event-logs-in-eventvwr-something-to-be-concerned-about/



#3 Thelps

Thelps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 PM

Posted 31 May 2016 - 03:47 PM

 

He didn't really provide any useful information though, so I thought I'd ask again in the hopes someone gives an explanation.


Edited by Thelps, 31 May 2016 - 03:47 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users