Windows 10: Logon event

Hello, can someone help me to get out what kind of event is above?

I can't understand who or what trying to connect into 192.168.10.50 server.

A logon was attempted using explicit credentials.

Subject:
Security ID: SYSTEM
Account Name: PC-1074-050917$
Account Domain: test
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: admbaltsupuser
Account Domain: HEADOFFICE.test.LV
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: fileserver
Additional Information: cifs/fileserver

Process Information:
Process ID: 0x4
Process Name:

Network Information:
Network Address: 192.168.10.50
Port: 445

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4648
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2018-12-20T07:18:05.494642000Z
EventRecordID 127631
- Correlation
[ ActivityID] {FD92A94E-91ED-0003-6BA9-92FDED91D401}
- Execution
[ ProcessID] 792
[ ThreadID] 34864
Channel Security
Computer PC-1074-050917.headoffice.test.lv
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName PC-1074-050917$
SubjectDomainName test
SubjectLogonId 0x3e7
LogonGuid {00000000-0000-0000-0000-000000000000}
TargetUserName admbaltsupuser
TargetDomainName HEADOFFICE.test.LV
TargetLogonGuid {00000000-0000-0000-0000-000000000000}
TargetServerName fileserver
TargetInfo cifs/fileserver
ProcessId 0x4
ProcessName
IpAddress 192.168.10.50
IpPort 445

:)

 

SPECIAL LOGON in Event Log

Hi Emeline,

Thank you for posting the query on Microsoft Community.

• When you say special logon, what are you referring to?
• What do you mean by private browser window?

Refer the link below for more information about event logs or viewer:

Event
viewer-- What is going on in your computer

Please get back to us with the required information to assist you further.

 

Events duplication (in event viewer) after successful logon (in event viewer).

Can you please explain me why I see several (looks like duplicated) event in Event Viewer after successful logon.

For example after reboot (Win 10 workstation, no domain, no any specific configuration) I see in security log 2 totally identical logs for event 4624, type 2

The same situation for "Unlock"

I want to show you these events in logs:

In this example PC in domain, and I am reproducing windows UNLOCK (logoff - logon):

FIRST EVENT

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/14/2017 1:35:30 PM

Event ID: 4624

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: mpxxx.xxx.xxx.net

Description:

An account was successfully logged on.

Subject:

Security ID: SYSTEM

Account Name: MPxxx$

Account Domain: KIV

Logon ID: 0x3E7

Logon Information:

Logon Type: 7

Restricted Admin Mode: -

Virtual Account: No

Elevated Token: Yes

Impersonation Level: Impersonation

New Logon:

Security ID: UNIVERSE\mpxxx

Account Name: mpxxx

Account Domain: UNIVERSE

Logon ID: 0x3D5986

Linked Logon ID: 0x3D8CF3

Network Account Name: -

Network Account Domain: -

Logon GUID: {a97eb034-e1a9-beba-9e13-0376df13c092}

Process Information:

Process ID: 0x2cc

Process Name: C:\Windows\System32\lsass.exe

Network Information:

Workstation Name: MPxxx

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Negotiat

Authentication Package: Negotiate

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

SECOND DUPLICATED EVENT:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/14/2017 1:35:30 PM

Event ID: 4624

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: mpxxx.xxx.xxx.net

Description:

An account was successfully logged on.

Subject:

Security ID: SYSTEM

Account Name: MPxxx$

Account Domain: KIV

Logon ID: 0x3E7

Logon Information:

Logon Type: 7

Restricted Admin Mode: -

Virtual Account: No

Elevated Token: No

Impersonation Level: Impersonation

New Logon:

Security ID: UNIVERSE\mpxxx

Account Name: mpxxx

Account Domain: UNIVERSE

Logon ID: 0x3D8CF3

Linked Logon ID: 0x3D5986

Network Account Name: -

Network Account Domain: -

Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:

Process ID: 0x2cc

Process Name: C:\Windows\System32\lsass.exe

Network Information:

Workstation Name: MPxxx

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Negotiat

Authentication Package: Negotiate

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

The only difference is in "Elevated Token: and Logon GUID:" portion of output

Dear MS Guru please give me any ideas why this duplication happens. It is important for because I am planning to send events to third party security system and duplication makes a lot of unnecessary noise

Thank you.

 

SPECIAL LOGON in Event Log

Could these SPECIAL LOGON events be from when I AM USING a 'Private browser window'??? Or is it really someone trying to hack in... ALSO in the Event Log it shows an 'Audit Success' immediately following... so does that mean ,y computer is still SAFE????