Eventvwr ID:4624 Logon Advapi - Suspicious activity?


Joined
May 23, 2016
Messages
53
Reaction score
0
Hi all,

Below is an Eventvwr event that recurs constantly many times per day. I'm wondering what the cause of this event is and if it's indicative of undesirable activity or a compromised system?

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: XXPC-NAMEXX$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes

Impersonation Level: Impersonation

New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x2d0
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Details:


- System
-
Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4624
Version 2
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2016-05-23T15:35:48.879041300Z
EventRecordID 33327
- Correlation
[ ActivityID] {88C6B335-B29F-0000-49B3-C6889FB2D101}
- Execution
[ ProcessID] 728
[ ThreadID] 3236
Channel Security
Computer XXPCNAMEXX
Security
-
EventData
SubjectUserSid
S-1-5-18
SubjectUserName XXPCNAMEXX$
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
TargetUserSid S-1-5-18
TargetUserName SYSTEM
TargetDomainName NT AUTHORITY
TargetLogonId 0x3e7
LogonType 5
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName
LogonGuid
{00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x2d0
ProcessName C:\Windows\System32\services.exe
IpAddress -
IpPort -
ImpersonationLevel %%1833
RestrictedAdminMode -
TargetOutboundUserName -
TargetOutboundDomainName -
VirtualAccount %%1843
TargetLinkedLogonId 0x0
ElevatedToken %%1842
 
Ad

Advertisements

Trouble

Noob Whisperer
Moderator
Joined
Nov 19, 2013
Messages
13,079
Reaction score
2,225
I don't have much to contribute except to say, that I also have the same occurrence with respect to that particular event and have no reason to suspect that my system is compromised in any way.
Logon Type 5 – Service
Similar to Scheduled Tasks, each service is configured to run as a specified user account. When a service starts, Windows first creates a logon session for the specified user account which results in a Logon/Logoff event with logon type 5. Failed logon events with logon type 5 usually indicate the password of an account has been changed without updating the service but there’s always the possibility of malicious users at work too. However this is less likely because creating a new service or editing an existing service by default requires membership in Administrators or Server Operators and such a user, if malicious, will likely already have enough authority to perpetrate his desired goal.
SOURCE: http://www.windowsecurity.com/articles-tutorials/misc_network_security/Logon-Types.html
 
Last edited:
Joined
May 23, 2016
Messages
53
Reaction score
0
Assuming this IS a malicious user how would they go about accessing the Administrators account remotely?

What ports or services would they need access to, how would they acquire the Administrators password, etc.?
 
Joined
Feb 21, 2017
Messages
1
Reaction score
0
Hi all,

Below is an Eventvwr event that recurs constantly many times per day. I'm wondering what the cause of this event is and if it's indicative of undesirable activity or a compromised system?

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: XXPC-NAMEXX$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes

Impersonation Level: Impersonation

New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x2d0
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Details:


- System
-
Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4624
Version 2
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2016-05-23T15:35:48.879041300Z
EventRecordID 33327
- Correlation
[ ActivityID] {88C6B335-B29F-0000-49B3-C6889FB2D101}
- Execution
[ ProcessID] 728
[ ThreadID] 3236
Channel Security
Computer XXPCNAMEXX
Security
-
EventData
SubjectUserSid
S-1-5-18
SubjectUserName XXPCNAMEXX$
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
TargetUserSid S-1-5-18
TargetUserName SYSTEM
TargetDomainName NT AUTHORITY
TargetLogonId 0x3e7
LogonType 5
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName
LogonGuid
{00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x2d0
ProcessName C:\Windows\System32\services.exe
IpAddress -
IpPort -
ImpersonationLevel %%1833
RestrictedAdminMode -
TargetOutboundUserName -
TargetOutboundDomainName -
VirtualAccount %%1843
TargetLinkedLogonId 0x0
ElevatedToken %%1842

I am seeing a lot of these as well, but what else do I look at to see if its a bad actor trying to get in? I have a bunch of these with unames that are not part of our network
 
Ad

Advertisements

Joined
Apr 5, 2020
Messages
1
Reaction score
0
SCRIPT MICROSOFT (Advapi)
Microsoft-Windows-Security-Auditing
EventID 4624
LogonProcessName Advapi

services.exe
Questo report viene generato da un file o URL inviato a questo servizio web l'11 dicembre 2019 05:27:08 (UTC) e script di azione:
Sistema anti-evasione pesante
Windows 7, 8, 10 e Server 2016

Panoramica dell'analisi:

Risposta agli incidenti
Valutazione del rischio

Accesso remoto

Contiene la capacità di ascoltare le connessioni in entrata
Panoramica dell'analisi:

1586088956494.png



Panoramica dell'analisi:
 

Top