ESENT
34 events across 1 channel
Event ID 102 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 102,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T17:04:18.031710+00:00",
"event_record_id": 213,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"DFSRs",
"2648,P,98",
"\\\\.\\C:\\System Volume Information\\DFSR\\database_3CDA_D04B_DAD0_2D6\\dfsr.db: ",
"0",
"10",
"00",
"20348",
"0000"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 103 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Data_5 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 103,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T00:52:50.912506+00:00",
"event_record_id": 1968,
"correlation": {},
"execution": {
"process_id": 6516,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "avguard",
"Data_1": "6516,T,97",
"Data_2": "GaviDB_0: ",
"Data_3": "0",
"Data_4": "\n[1] 0.000056 +J(0) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[2] 0.002298 +J(0) +M(C:0K, Fs:4, WS:16K # 0K, PF:0K # 0K, P:0K)\n[3] 0.001712 +J(0) +M(C:0K, Fs:5, WS:20K # 0K, PF:0K # 0K, P:0K)\n[4] 0.000645 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[5] 0.144663 -0.036786 (7) WT +J(0) +M(C:0K, Fs:84, WS:332K # 0K, PF:0K # 0K, P:0K)\n[6] 0.000012 +J(0)\n[7] 0.000079 +J(0) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[8] 0.031475 -0.008007 (10) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3804/2) +M(C:0K, Fs:23, WS:52K # 0K, PF:-24K # 0K, P:-24K)\n[9] 0.001482 -0.000596 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[10] 0.000036 +J(0)\n[11] 0.008375 -0.001099 (2) WT +J(0)\n[12] 0.000078 +J(0) +M(C:0K, Fs:2, WS:4K # 0K, PF:-4K # 0K, P:-4K)\n[13] 0.000572 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[14] 0.000048 +J(0) +M(C:0K, Fs:1, WS:-12K # 0K, PF:-32K # 0K, P:-32K)\n[15] 0.000012 +J(0).",
"Data_5": "0",
"Binary": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 105 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 105,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T17:04:18.422710+00:00",
"event_record_id": 214,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"DFSRs",
"2648,D,0",
"\\\\.\\C:\\System Volume Information\\DFSR\\database_3CDA_D04B_DAD0_2D6\\dfsr.db: ",
"0",
"0",
"\n[1] 0.000907 +J(0) +M(C:0K, Fs:207, WS:804K # 804K, PF:2692K # 2592K, P:2692K)\n[2] 0.000228 +J(0) +M(C:16K, Fs:142, WS:556K # 556K, PF:4132K # 4132K, P:4132K)\n[3] 0.000013 +J(0) +M(C:0K, Fs:3, WS:12K # 12K, PF:64K # 64K, P:64K)\n[4] 0.000154 +J(0) +M(C:2032K, Fs:34, WS:128K # 128K, PF:2440K # 2440K, P:2440K)\n[5] 0.000832 +J(0) +M(C:0K, Fs:10, WS:40K # 40K, PF:24K # 24K, P:24K)\n[6] 0.003014 +J(0) +M(C:0K, Fs:21, WS:84K # 84K, PF:12K # 12K, P:12K)\n[7] 0.335559 -0.330052 (11) WT +J(0) +M(C:0K, Fs:1300, WS:5188K # 5188K, PF:5132K # 5132K, P:5132K)\n[8] -\n[9] -\n[10] -\n[11] -\n[12] -\n[13] 0.041925 -0.032647 (12) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:616/1) +M(C:0K, Fs:6, WS:-5104K # 16K, PF:-5128K # 12K, P:-5128K)\n[14] 0.000023 +J(0)\n[15] 0.000092 +J(0) +M(C:0K, Fs:65, WS:256K # 0K, PF:68K # 0K, P:68K)\n[16] 0.000769 -0.000141 (1) WT +J(0) +M(C:0K, Fs:3, WS:4K # 0K, PF:0K # 0K, P:0K)."
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 204 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 204,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-13T23:07:16.380817+00:00",
"event_record_id": 4241,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "certsrv.exe",
"Data_1": "14016,P,98",
"Data_2": "Restore0001: ",
"Data_3": "C:\\Windows\\system32\\CertLog\\",
"Data_4": "C:\\Windows\\system32\\CertLog\\",
"Binary": ""
},
"message": ""
}
Event ID 205 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 205,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-13T23:07:16.486548+00:00",
"event_record_id": 4247,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "certsrv.exe",
"Data_1": "14016,U,98",
"Data_2": "Restore0001: ",
"Binary": ""
},
"message": ""
}
Event ID 210 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 210,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T16:22:59+00:00",
"event_record_id": 94,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"WinMail",
"280",
"WindowsMail0: "
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 213 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 213,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T16:23:00+00:00",
"event_record_id": 99,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"WinMail",
"280",
"WindowsMail0: "
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 216 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 216,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2021-06-05T19:36:36.537144+00:00",
"event_record_id": 442136,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"lsass",
"548",
"",
"C:\\Windows\\NTDS\\ntds.dit",
"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy5\\Windows\\NTDS\\ntds.dit"
]
},
"message": ""
}
Detection Patterns #
Credential Access: NTDS
1 rule
Sigma
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 220 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 220,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T16:22:59+00:00",
"event_record_id": 95,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"WinMail",
"280",
"WindowsMail0: ",
"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore",
"2 Mb"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 221 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 221,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T16:22:59+00:00",
"event_record_id": 96,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"WinMail",
"280",
"WindowsMail0: ",
"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 223 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 223,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T16:23:00+00:00",
"event_record_id": 97,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"WinMail",
"280",
"WindowsMail0: ",
"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log",
"C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 224 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 224,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-13T23:06:22.480449+00:00",
"event_record_id": 4227,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "certsrv.exe",
"Data_1": "13036,D,81",
"Data_2": "",
"Data_3": "C:\\Windows\\system32\\CertLog\\edb00001.log",
"Data_4": "C:\\Windows\\system32\\CertLog\\edb00001.log",
"Binary": ""
},
"message": ""
}
Event ID 225 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 225,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T16:23:00+00:00",
"event_record_id": 98,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"WinMail",
"280",
"WindowsMail0: "
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 300 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 300,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-04T07:41:19.840598+00:00",
"event_record_id": 119,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"svchost",
"988,R,98",
"DS_Token_DB: "
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 301 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 301,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-04T07:41:19.914102+00:00",
"event_record_id": 121,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"svchost",
"988,R,98",
"DS_Token_DB: ",
"C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSS.log",
"\n[1] 0.004883 -0.001369 (7) CM -0.002231 (10) WT +J(CM:7, PgRf:69, Rd:4/0, Dy:16/110, Lg:12164/130) +M(C:16K, Fs:11, WS:40K # 0K, PF:16K # 0K, P:16K).",
"Insert ",
"39"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 302 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 302,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-04T07:41:19.946101+00:00",
"event_record_id": 122,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"svchost",
"988,U,98",
"DS_Token_DB: "
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 325 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 325,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:15:12.107010+00:00",
"event_record_id": 106,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"DFSRs",
"2684,D,35",
"\\\\.\\C:\\System Volume Information\\DFSR\\database_3CDA_D04B_DAD0_2D6\\dfsr.db: ",
"1",
"\\\\.\\C:\\System Volume Information\\DFSR\\database_3CDA_D04B_DAD0_2D6\\dfsr.db",
"0",
"\n[1] 0.000092 +J(0) +M(C:0K, Fs:5, WS:20K # 0K, PF:8K # 0K, P:8K)\n[2] 0.002221 -0.000629 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:5, WS:20K # 0K, PF:0K # 0K, P:0K)\n[3] 0.003757 -0.000003 (3) WT +J(0) +M(C:0K, Fs:11, WS:36K # 0K, PF:20K # 0K, P:20K)\n[4] 0.000245 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[5] 0.001400 -0.000570 (3) WT +J(CM:0, PgRf:3, Rd:0/0, Dy:3/6, Lg:122/4) +M(C:0K, Fs:44, WS:164K # 0K, PF:256K # 0K, P:256K)\n[6] 0.001827 -0.000245 (2) WT +J(CM:0, PgRf:209, Rd:0/0, Dy:12/408, Lg:24454/447) +M(C:0K, Fs:76, WS:304K # 0K, PF:224K # 0K, P:224K)\n[7] 0.000703 -0.000290 (3) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:4096/3) +M(C:0K, Fs:4, WS:8K # 0K, PF:0K # 0K, P:0K)\n[8] 0.000004 +J(0)\n[9] 0.001408 -0.000787 (3) WT +J(0) +M(C:-52K, Fs:8, WS:-28K # 0K, PF:-52K # 0K, P:-52K)\n[10] 0.002190 -0.000416 (6) WT +J(CM:0, PgRf:348, Rd:0/0, Dy:7/93, Lg:12509/130) +M(C:12K, Fs:46, WS:176K # 0K, PF:96K # 0K, P:96K)\n[11] 0.000004 +J(0).",
"0 0",
"lgposCreate = 00000001:0001:0268,\ndbv = 1568.180.400 (9360)"
]
},
"message": ""
}
Detection Patterns #
Credential Access: NTDS
1 rule
Sigma
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Dump Ntds.dit To Suspicious Location source medium: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 326 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 326,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T17:04:18.516230+00:00",
"event_record_id": 215,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"DFSRs",
"2648,D,50",
"\\\\.\\C:\\System Volume Information\\DFSR\\database_3CDA_D04B_DAD0_2D6\\dfsr.db: ",
"1",
"\\\\.\\C:\\System Volume Information\\DFSR\\database_3CDA_D04B_DAD0_2D6\\dfsr.db",
"0",
"\n[1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[2] 0.050530 -0.049779 (1) WT +J(0) +M(C:0K, Fs:19, WS:12K # 0K, PF:8K # 0K, P:8K)\n[3] 0.029634 -0.024734 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:31, WS:116K # 0K, PF:148K # 0K, P:148K)\n[4] 0.000577 +J(0)\n[5] -\n[6] -\n[7] -\n[8] 0.000668 -0.000387 (2) CM -0.000230 (2) WT +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:54/1) +M(C:-8K, Fs:60, WS:232K # 0K, PF:140K # 0K, P:140K)\n[9] 0.019914 -0.019641 (2) CM -0.019529 (2) WT +J(CM:2, PgRf:23, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:-12K, Fs:30, WS:108K # 0K, PF:188K # 0K, P:188K)\n[10] 0.000976 -0.000799 (1) CM -0.000685 (1) WT +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:-4K, Fs:6, WS:20K # 0K, PF:60K # 0K, P:60K)\n[11] 0.000022 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 0K, PF:0K # 0K, P:0K)\n[12] 0.000027 +J(CM:0, PgRf:36, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[13] 0.0 +J(0)\n[14] 0.0 +J(0)\n[15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).",
"0 0",
"lgposAttach = 00000009:011C:0268,\ndbv = 1568.180.400 (9360)"
]
},
"message": ""
}
Detection Patterns #
Credential Access: NTDS
1 rule
Sigma
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 327 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 327,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2021-06-05T19:36:58.926651+00:00",
"event_record_id": 442152,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"7148",
"",
"1",
"C:\\$SNAP_202106051936_VOLUMEC$\\Windows\\NTDS\\ntds.dit",
"0",
"[1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.016, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.",
"0 0"
]
},
"message": ""
}
Detection Patterns #
Credential Access: NTDS
1 rule
Sigma
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 412 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 412,
"version": 0,
"level": 2,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-12T03:05:00.384288+00:00",
"event_record_id": 49444,
"correlation": {},
"execution": {
"process_id": 3544,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "svchost",
"Data_1": "3544,R,98",
"Data_2": "SRUJet: ",
"Data_3": "C:\\Windows\\system32\\SRU\\SRU.log",
"Data_4": "-501",
"Binary": ""
},
"message": ""
}
Event ID 413 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 413,
"version": 0,
"level": 2,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-14T03:42:00.148167+00:00",
"event_record_id": 37478,
"correlation": {},
"execution": {
"process_id": 4016,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "svchost",
"Data_1": "4016,D,0",
"Data_2": "SRUJet: ",
"Data_3": "-1032",
"Binary": ""
},
"message": ""
}
Event ID 455 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 455,
"version": 0,
"level": 2,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-13T23:03:01.690404+00:00",
"event_record_id": 4186,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "certutil.exe",
"Data_1": "1736,R,98",
"Data_2": "",
"Data_3": "C:\\Windows\\system32\\CertLog\\edb.log",
"Data_4": "-1032 (0xfffffbf8)",
"Binary": ""
},
"message": ""
}
Event ID 471 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Data_5 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 471,
"version": 0,
"level": 2,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-14T03:42:00.150050+00:00",
"event_record_id": 37480,
"correlation": {},
"execution": {
"process_id": 4016,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "svchost",
"Data_1": "4016,D,43",
"Data_2": "SRUJet: ",
"Data_3": "1525",
"Data_4": "C:\\Windows\\system32\\sru\\SRUDB.dat",
"Data_5": "-510",
"Binary": ""
},
"message": ""
}
Event ID 490 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Data_5 | — |
Data_6 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 490,
"version": 0,
"level": 2,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-13T23:03:01.689833+00:00",
"event_record_id": 4185,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "certutil.exe",
"Data_1": "1736,R,98",
"Data_2": "",
"Data_3": "C:\\Windows\\system32\\CertLog\\edb.log",
"Data_4": "-1032 (0xfffffbf8)",
"Data_5": "32 (0x00000020)",
"Data_6": "The process cannot access the file because it is being used by another process. ",
"Binary": ""
},
"message": ""
}
Event ID 492 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 492,
"version": 0,
"level": 2,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-14T03:42:00.149257+00:00",
"event_record_id": 37479,
"correlation": {},
"execution": {
"process_id": 4016,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "svchost",
"Data_1": "4016,D,0",
"Data_2": "SRUJet: ",
"Data_3": "C:\\Windows\\system32\\SRU\\",
"Binary": ""
},
"message": ""
}
Event ID 508 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Data_5 | — |
Data_6 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 508,
"version": 0,
"level": 3,
"task": 7,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T00:33:01.744348+00:00",
"event_record_id": 1942,
"correlation": {},
"execution": {
"process_id": 3160,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "svchost",
"Data_1": "3160,D,0",
"Data_2": "SRUJet: ",
"Data_3": "C:\\Windows\\system32\\SRU\\SRU.log",
"Data_4": "36864 (0x0000000000009000)",
"Data_5": "4096 (0x00001000)",
"Data_6": "23",
"Binary": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 533 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Data_5 | — |
Data_6 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 533,
"version": 0,
"level": 3,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-15T04:09:57.608199+00:00",
"event_record_id": 5739,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "svchost",
"Data_1": "7392,T,0",
"Data_2": "SRUJet: ",
"Data_3": "C:\\Windows\\system32\\SRU\\SRU.chk",
"Data_4": "0 (0x0000000000000000)",
"Data_5": "4096 (0x00001000)",
"Data_6": "36",
"Binary": ""
},
"message": ""
}
Event ID 609 —
#Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 609,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T19:25:31.000000Z",
"event_record_id": 521,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 612 —
#Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 612,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T19:25:31.000000Z",
"event_record_id": 522,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 636 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 636,
"version": 0,
"level": 3,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-13T23:07:16.391784+00:00",
"event_record_id": 4243,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "certsrv.exe",
"Data_1": "14016,P,98",
"Data_2": "Restore0001: ",
"Data_3": "C:\\Windows\\system32\\CertLog\\EvtGen-Root-CA.jfm",
"Data_4": "ReadHdrFailed",
"Binary": ""
},
"message": ""
}
Event ID 637 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 637,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-13T23:07:16.393005+00:00",
"event_record_id": 4244,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "certsrv.exe",
"Data_1": "14016,P,98",
"Data_2": "Restore0001: ",
"Data_3": "C:\\Windows\\system32\\CertLog\\EvtGen-Root-CA.jfm",
"Binary": ""
},
"message": ""
}
Event ID 640 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Data_5 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 640,
"version": 0,
"level": 3,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-13T23:07:16.370498+00:00",
"event_record_id": 4240,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "certsrv.exe",
"Data_1": "14016,P,98",
"Data_2": "Restore0001: ",
"Data_3": "-1919",
"Data_4": "C:\\Windows\\system32\\CertLog\\EvtGen-Root-CA.jfm",
"Data_5": "[SignDbHdrFromDb:Create time:03/13/2026 23:06:22.503 Rand:3655758382 Computer:] [SignFmHdrFromDb:Create time:03/13/2026 23:06:22.385 Rand:413456288 Computer:] [SignDbHdrFromFm:Create time:03/13/2026 23:06:22.931 Rand:2864051150 Computer:] [SignFmHdrFromFm:Create time:03/13/2026 23:06:22.945 Rand:3852748920 Computer:]",
"Binary": ""
},
"message": ""
}
Event ID 700 —
Fields #
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 700,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-02-28T22:56:52.420762+00:00",
"event_record_id": 2450,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"DFSRs",
"4004,D,0",
"\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: ",
"\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db"
],
"Binary": ""
},
"message": ""
}
Event ID 701 —
Fields #
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event #
{
"system": {
"provider": "ESENT",
"guid": "",
"event_source_name": "",
"event_id": 701,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-02-28T22:56:52.420762+00:00",
"event_record_id": 2451,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"DFSRs",
"4004,D,0",
"\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: ",
"\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db",
"0",
"2/28/2026",
"0",
"1",
"1",
"5"
],
"Binary": ""
},
"message": ""
}