DiBBz
Member
- Local time
- 8:11 PM
- Posts
- 10
- OS
- Windows 11
Thx for taking the time to check out and help me in regards to understand and auditing security events in event viewer.
Im mostly just looking for help / closure in regards a really large volume of events that keep happening every hour ive noticed. it doesn't hurt to be cautious and thoroughly investigating these.
Every day ive noticed that about 70 to 110+ logs gets generated every hour roughly on the dot. but there is always usually a 5-10 min deviation from the last batch of logs
This is typically what the event looks like!
Looking into details The type and read operation sometimes cycles from 1 & %%8099 > TO > 0 & %%8100
The targetname for most of these are focused on all my emails
And before all these logs are generated i will always get the same [ Logon & Special Logon ] Right before they are generated 5 seconds later.
Logon: EID 4624
Special Logon: EID 4672
if Anyone can help explain and put my mind at ease, or help guide if this is something to worry about or not. and if its prone for further investigating. i appreciate the time being taken to look at this thread!
Im mostly just looking for help / closure in regards a really large volume of events that keep happening every hour ive noticed. it doesn't hurt to be cautious and thoroughly investigating these.
Every day ive noticed that about 70 to 110+ logs gets generated every hour roughly on the dot. but there is always usually a 5-10 min deviation from the last batch of logs
This is typically what the event looks like!
Code:
Credential Manager credentials were read.
Subject:
Security ID:DIBBZ\DiBBz
Account Name:DiBBz
Account Domain:DIBBZ
Logon ID:0x4AAD0
Read Operation:Enumerate CredentialsThe targetname for most of these are focused on all my emails
there is a few within the pile that contain
And usually 1 with a (Token) variant as wellWindowsLivecert):name=EmailHere;serviceuri=*
And before all these logs are generated i will always get the same [ Logon & Special Logon ] Right before they are generated 5 seconds later.
Logon: EID 4624
Subject:
Security ID:SYSTEM
Account NameIBBZ$
Account Domain:WORKGROUP
Logon ID:0x3E7
Logon Information:
Logon Type:5
Restricted Admin Mode:-
Remote Credential Guard:-
Virtual Account:No
Elevated Token:Yes
Impersonation Level:Impersonation
New Logon:
Security ID:SYSTEM
Account Name:SYSTEM
Account Domain:NT AUTHORITY
Logon ID:0x3E7
Linked Logon ID:0x0
Network Account Name:-
Network Account Domain:-
Logon GUID:{00000000-0000-0000-0000-000000000000}
Process Information:
Process ID:0x584
Process Name:C:\Windows\System32\services.exe
Network Information:
Workstation Name:-
Source Network Address:-
Source Port:-
Detailed Authentication Information:
Logon Process:Advapi
Authentication Package:Negotiate
Transited Services:-
Package Name (NTLM only):-
Key Length:0
Special Logon: EID 4672
if Anyone can help explain and put my mind at ease, or help guide if this is something to worry about or not. and if its prone for further investigating. i appreciate the time being taken to look at this thread!
- Windows Build/Version
- 24H2
My Computer
System One
-
- OS
- Windows 11
- Computer type
- PC/Desktop
- CPU
- Ryzen 7 9800x3d
- Motherboard
- Gigabyte B650 EAGLE AX
- Memory
- Corsair Vengeance 32 GB (2 x 16 GB) DDR5-6000 CL30 Memory
- Graphics Card(s)
- RTX 2060 [SAVING FOR UPGRADE ATM]
- Monitor(s) Displays
- 2x AOC
- Screen Resolution
- 1080p
- Hard Drives
- Kingston 250gb 2.5" SSD
Sabrent 1TB NVME
WD 1TB HDD
- PSU
- NZXT C650 Gold Modular
- Case
- Lianli LANCOOL 216
- Cooling
- ARCTIC Liquid Freezer III 280
- Keyboard
- Corsair K70 LUX
- Mouse
- Corsair Katar
- Internet Speed
- Gigabit 1000mbps (UP & DOWN)
- Browser
- Brave
