You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14716 lines
615 KiB
14716 lines
615 KiB
2 months ago
|
Date and Time,timestamp,Event ID,Account Name,Object Name,Object Type,Process Name,Computer Name,Channel,Original Event Log
|
||
|
2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>1</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12802</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>314462</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""160"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>MSEDGEWIN10</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x33392</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Process</Data>
|
||
|
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
|
||
|
<Data Name=""HandleId"">0x558</Data>
|
||
|
<Data Name=""AccessList"">%%4484
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x10</Data>
|
||
|
<Data Name=""ProcessId"">0x1688</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
|
||
|
<Data Name=""ResourceAttributes"">-</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>1</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12802</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>314462</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""160"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>MSEDGEWIN10</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x33392</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Process</Data>
|
||
|
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
|
||
|
<Data Name=""HandleId"">0x558</Data>
|
||
|
<Data Name=""AccessList"">%%4484
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x10</Data>
|
||
|
<Data Name=""ProcessId"">0x1688</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
|
||
|
<Data Name=""ResourceAttributes"">-</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>1</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12802</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>314462</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""160"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>MSEDGEWIN10</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x33392</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Process</Data>
|
||
|
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
|
||
|
<Data Name=""HandleId"">0x558</Data>
|
||
|
<Data Name=""AccessList"">%%4484
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x10</Data>
|
||
|
<Data Name=""ProcessId"">0x1688</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
|
||
|
<Data Name=""ResourceAttributes"">-</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4991</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""44"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4990</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4989</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4988</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""68"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>1</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12802</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>314462</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""160"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>MSEDGEWIN10</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x33392</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Process</Data>
|
||
|
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
|
||
|
<Data Name=""HandleId"">0x558</Data>
|
||
|
<Data Name=""AccessList"">%%4484
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x10</Data>
|
||
|
<Data Name=""ProcessId"">0x1688</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
|
||
|
<Data Name=""ResourceAttributes"">-</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4991</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""44"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4990</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4989</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4988</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""68"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>1</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12802</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>314462</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""160"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>MSEDGEWIN10</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x33392</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Process</Data>
|
||
|
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
|
||
|
<Data Name=""HandleId"">0x558</Data>
|
||
|
<Data Name=""AccessList"">%%4484
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x10</Data>
|
||
|
<Data Name=""ProcessId"">0x1688</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
|
||
|
<Data Name=""ResourceAttributes"">-</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4991</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""44"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4990</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4989</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4988</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""68"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>1</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12802</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>314462</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""160"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>MSEDGEWIN10</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x33392</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Process</Data>
|
||
|
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
|
||
|
<Data Name=""HandleId"">0x558</Data>
|
||
|
<Data Name=""AccessList"">%%4484
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x10</Data>
|
||
|
<Data Name=""ProcessId"">0x1688</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
|
||
|
<Data Name=""ResourceAttributes"">-</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4991</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""44"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4990</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4989</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4988</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""68"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>1</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12802</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>314462</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""160"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>MSEDGEWIN10</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x33392</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Process</Data>
|
||
|
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
|
||
|
<Data Name=""HandleId"">0x558</Data>
|
||
|
<Data Name=""AccessList"">%%4484
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x10</Data>
|
||
|
<Data Name=""ProcessId"">0x1688</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
|
||
|
<Data Name=""ResourceAttributes"">-</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4991</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""44"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4990</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4989</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4988</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""68"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>1</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12802</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>314462</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""160"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>MSEDGEWIN10</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x33392</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Process</Data>
|
||
|
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
|
||
|
<Data Name=""HandleId"">0x558</Data>
|
||
|
<Data Name=""AccessList"">%%4484
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x10</Data>
|
||
|
<Data Name=""ProcessId"">0x1688</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
|
||
|
<Data Name=""ResourceAttributes"">-</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4991</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""44"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4990</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4989</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4988</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""68"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452905</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452904</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452903</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452902</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452901</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452900</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452899</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452898</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452897</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452896</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452895</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452894</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452893</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452892</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452891</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452890</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452889</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452888</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452887</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452886</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452885</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452884</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452883</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452882</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452881</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452880</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452879</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452878</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452877</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452876</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452875</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452874</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452873</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452872</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452871</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452870</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452869</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452868</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452867</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452866</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452865</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452864</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452863</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452862</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452861</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452860</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452859</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452858</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452857</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452856</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452855</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452854</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452853</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452852</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452851</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452850</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452849</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452848</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452847</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452846</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452845</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452844</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452843</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452842</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452841</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452840</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452839</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452838</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452837</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452836</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452835</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452834</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452833</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452832</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452831</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452830</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452829</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452828</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452827</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452826</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452825</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452824</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.205246Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452823</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.205246+04:00,1553038515.205246,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.185218Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452822</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.185218Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452821</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.045016Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452820</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.045016Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452819</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.904814Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452818</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.904814Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452817</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.764613Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452816</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.764613Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452815</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.634426Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452814</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.634426+04:00,1553038514.634426,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.634426Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452813</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
1601-01-01T04:00:00+04:00,-11644473600.0,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452922</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452921</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452920</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452919</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452918</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452917</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452916</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452915</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452914</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452913</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452912</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452911</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452910</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452909</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452908</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452907</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452906</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452905</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452904</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452903</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452902</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452901</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452900</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452899</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452898</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452897</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452896</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452895</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452894</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452893</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452892</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452891</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452890</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452889</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452888</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452887</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452886</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452885</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452884</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452883</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452882</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452881</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452880</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452879</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452878</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452877</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452876</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452875</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452874</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452873</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452872</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452871</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452870</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452869</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452868</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452867</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452866</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452865</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452864</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452863</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452862</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452861</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452860</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452859</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452858</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452857</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452856</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452855</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452854</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452853</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452852</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452851</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452850</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452849</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452848</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452847</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452846</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452845</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452844</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452843</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452842</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452841</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452840</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452839</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452838</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452837</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452836</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452835</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452834</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452833</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452832</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452831</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452830</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452829</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452828</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452827</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452826</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452825</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452824</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.205246Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452823</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.205246+04:00,1553038515.205246,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.185218Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452822</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.185218Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452821</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.045016Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452820</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.045016Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452819</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.904814Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452818</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.904814Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452817</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.764613Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452816</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.764613Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452815</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.634426Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452814</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.634426+04:00,1553038514.634426,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.634426Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452813</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
1601-01-01T04:00:00+04:00,-11644473600.0,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452922</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452921</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452920</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452919</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452918</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452917</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452916</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452915</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452914</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452913</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452912</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452911</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452910</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452909</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452908</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452907</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452906</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>1</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12802</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>314462</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""160"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>MSEDGEWIN10</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x33392</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Process</Data>
|
||
|
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
|
||
|
<Data Name=""HandleId"">0x558</Data>
|
||
|
<Data Name=""AccessList"">%%4484
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x10</Data>
|
||
|
<Data Name=""ProcessId"">0x1688</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
|
||
|
<Data Name=""ResourceAttributes"">-</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4991</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""44"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4990</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4989</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4988</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""68"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>1</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12802</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>314462</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""160"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>MSEDGEWIN10</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x33392</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Process</Data>
|
||
|
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
|
||
|
<Data Name=""HandleId"">0x558</Data>
|
||
|
<Data Name=""AccessList"">%%4484
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x10</Data>
|
||
|
<Data Name=""ProcessId"">0x1688</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
|
||
|
<Data Name=""ResourceAttributes"">-</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4991</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""44"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4990</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4989</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4988</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""68"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452905</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452904</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452903</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452902</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452901</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452900</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452899</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452898</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452897</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452896</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452895</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452894</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452893</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452892</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452891</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452890</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452889</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452888</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452887</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452886</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452885</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452884</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452883</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452882</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452881</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452880</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452879</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452878</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452877</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452876</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452875</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452874</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452873</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452872</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452871</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452870</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452869</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452868</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452867</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452866</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452865</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452864</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452863</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452862</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452861</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452860</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452859</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452858</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452857</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452856</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452855</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452854</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452853</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452852</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452851</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452850</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452849</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452848</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452847</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452846</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452845</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452844</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452843</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452842</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452841</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452840</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452839</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452838</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452837</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452836</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452835</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452834</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452833</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452832</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452831</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452830</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452829</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452828</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452827</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452826</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452825</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452824</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.205246Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452823</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.205246+04:00,1553038515.205246,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.185218Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452822</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.185218Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452821</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.045016Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452820</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.045016Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452819</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.904814Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452818</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.904814Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452817</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.764613Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452816</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.764613Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452815</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.634426Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452814</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x520</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:14.634426+04:00,1553038514.634426,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:14.634426Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452813</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x468</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
1601-01-01T04:00:00+04:00,-11644473600.0,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452922</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452921</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452920</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452919</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452918</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452917</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452916</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452915</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452914</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452913</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452912</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452911</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452910</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452909</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452908</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x1ac</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452907</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12801</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>452906</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""60"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>PC01.example.corp</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
|
||
|
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
|
||
|
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x3e5</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Key</Data>
|
||
|
<Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
|
||
|
<Data Name=""HandleId"">0x420</Data>
|
||
|
<Data Name=""AccessList"">%%4432
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x5a8</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>1</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12802</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>314462</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""160"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>MSEDGEWIN10</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
|
||
|
<Data Name=""SubjectLogonId"">0x33392</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">Process</Data>
|
||
|
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
|
||
|
<Data Name=""HandleId"">0x558</Data>
|
||
|
<Data Name=""AccessList"">%%4484
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x10</Data>
|
||
|
<Data Name=""ProcessId"">0x1688</Data>
|
||
|
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
|
||
|
<Data Name=""ResourceAttributes"">-</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4991</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""44"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4990</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4989</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""56"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|
||
|
2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
|
||
|
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
|
||
|
<System>
|
||
|
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
|
||
|
</Provider>
|
||
|
<EventID>4663</EventID>
|
||
|
<Version>0</Version>
|
||
|
<Level>0</Level>
|
||
|
<Task>12800</Task>
|
||
|
<Opcode>0</Opcode>
|
||
|
<Keywords>0x8020000000000000</Keywords>
|
||
|
<TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
|
||
|
</TimeCreated>
|
||
|
<EventRecordID>4988</EventRecordID>
|
||
|
<Correlation>
|
||
|
</Correlation>
|
||
|
<Execution ProcessID=""4"" ThreadID=""68"">
|
||
|
</Execution>
|
||
|
<Channel>Security</Channel>
|
||
|
<Computer>IEWIN7</Computer>
|
||
|
<Security>
|
||
|
</Security>
|
||
|
</System>
|
||
|
<EventData>
|
||
|
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
|
||
|
<Data Name=""SubjectUserName"">IEUser</Data>
|
||
|
<Data Name=""SubjectDomainName"">IEWIN7</Data>
|
||
|
<Data Name=""SubjectLogonId"">0xffa8</Data>
|
||
|
<Data Name=""ObjectServer"">Security</Data>
|
||
|
<Data Name=""ObjectType"">File</Data>
|
||
|
<Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
|
||
|
<Data Name=""HandleId"">0x50</Data>
|
||
|
<Data Name=""AccessList"">%%4416
|
||
|
</Data>
|
||
|
<Data Name=""AccessMask"">0x1</Data>
|
||
|
<Data Name=""ProcessId"">0x134c</Data>
|
||
|
<Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
|
||
|
</EventData>
|
||
|
</Event>"
|