Message

The security package does not cache the credentials needed to authenticate to the server.

Package Name:	%1
User Name:	%2
Domain Name:	%3
Server Name:	%4
Protected User:	%5
Error Code:	%6

Fields

Message

A security package received a network logon request after the logoff completed.

User Name:	%1
Domain Name:	%2
Logon ID:	%3
Logoff Time:	%4
PID:	%5
Program:	%6
Principal Name:	%7
Server Name:	%8
Package Name:	%9
Call Type:	%10
Error Code:	%11

Fields

Message

Groups assigned to a new logon.

New Logon:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4
	Logon GUID:		%5

Event in sequence:		%6 of %7

Group Membership:		%8

Fields

Example Event

system:
  provider: LsaSrv
  guid: 199FE037-2B82-40A9-82AC-E1D46C792B99
  event_source_name: ''
  event_id: 300
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693952
  time_created: '2023-11-06T02:03:41.600577+00:00'
  event_record_id: 220
  correlation:
    ActivityID: E4DB489E-1037-0001-0C49-DBE43710DA01
  execution:
    process_id: 808
    thread_id: 844
  channel: Microsoft-Windows-LSA/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  TargetUserSid: S-1-5-20
  TargetUserName: NETWORK SERVICE
  TargetDomainName: NT AUTHORITY
  TargetLogonId: '0x3e4'
  TargetLogonGuid: 00000000-0000-0000-0000-000000000000
  EventOrginal: 1
  EventCountTotal: 1
  SidList: "\r\n\t\t%{S-1-5-20}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-6}\r\n\t\t%{S-1-2-1}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628}\r\n\t\t%{S-1-2-0}\r\n\t\t%{S-1-5-32-545}"
message: ''

Sigma Rules

• Standard User In High Privileged Group
  Detect standard users login that are part of high privileged groups such as the Administrator group

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Claims assigned to a new logon.

New Logon:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4
	Logon GUID:		%5


	Logon Type:		%6



Event in sequence:		%7 of %8

User Claims:		%9

Device Claims:		%10

This event is generated when a new logon session is created and the user token associated with it contains user and/or device claims. The New Logon fields indicate the account that was logged on. If all the user and device claims in the user token cannot be accommodated in a single event, multiple such events are generated. The Event in sequence field indicates how many more events are generated for this logon session. Each user or device claim is represented in the following format:

	ClaimID ClaimTypeID : Value1, Value2 ? 

The common claim types are: 0 (Invalid Type), 1 (64-bit Integer, 2 (Unsigned 64-bit Integer), 3 (String), 4 (FQBN), 5 (SID), 6 (Boolean) and 16 (Blob). If the claim value exceeds the max allowed length then the string is terminated by ...

Fields

Message

User %1 logged off notification is received.

LogonId:	%2
AuthorityName:	%3
AccountName:	%4
Timeout:	%5 seconds

Fields

Message

The security package does not cache the user's sign on credentials.

Package Name:	%1
User Name:	%2
Domain Name:	%3
Protected User:	%4

Fields

Message

Automatic restart sign on successfully configured the autologon credentials for:

	Account Name:		%1
	Account Domain:		%2

Fields

Message

Automatic restart sign on failed to configure the autologon credentials with error:

%1

Fields

Message

Automatic restart sign on successfully deleted autologon credentials from LSA memory

Message

The security package %1 generated an exception. The exception information is the data.

Fields

Message

Could not upgrade the Trusted domain object for domain {Domain}. Please recreate the trust manually.

Fields

Message

Could not upgrade the global secret %1. Please check the status of all services in the system.

Fields

Message

LSA could not update domain information in the registry to match the DS. Error={Error}.

Fields

Message

The database contains invalid information for trusted domain {Domain}.

Fields

Message

An anonymous session connected from %1 has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller.
 The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock DWORD value to 1.
 This message will be logged at most once a day.

Fields

Message

The new top level name; {TopLevelName}; has been added to the forest {Forestname}. Name suffix routing for this new name is disabled because it is not within any currently routed namespace. Objects can not be resolved from this new namespace until name suffix routing is enabled for the namespace. To enable name suffix routing; open Domains and Trusts and see help under Name Suffix Routing and Forest Trusts.

Fields

Message

During a logon attempt, the user's security context accumulated too many security IDs. This is a very unusual situation. Remove the user from some global or local groups to reduce the number of security IDs to incorporate into the security context.
User's SID is %1
If this is the Administrator account, logging on in safe mode will enable Administrator to log on by automatically restricting group memberships.

Fields

Message

The program %2, with the assigned Process ID %1, supplied a NULL or empty target name for the pszTargetName parameter when calling the InitializeSecurityContext API to initiate an outbound NTLM security context. This is a security risk when mutual authentication is required.
 
 To help protect against a malicious attack, make your code more secure. To do this, change the program so that it specifies a target name in the pszTargetName parameter field, and then recompile the code.

Fields

Message

The program %2, with the assigned process ID %1, could not authenticate locally by using the target name %3. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.
 
 Try a different target name.

Fields

Message

Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
 
NTLM is a weaker authentication mechanism. Please check:
 
      Which applications are using NTLM authentication?
      Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
      If NTLM must be supported, is Extended Protection configured?
 
Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

Fields

Example Event

system:
  provider: LsaSrv
  guid: '{199fe037-2b82-40a9-82ac-e1d46c792b99}'
  event_source_name: LsaSrv
  event_id: 6038
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-07T17:39:24.046564+00:00'
  event_record_id: 1326
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: ''
event_data:
  Data_0: ''
  Binary: ''
message: ''

Sigma Rules

• NTLMv1 Logon Between Client and Server
  Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Microsoft Windows Server has detected that NTLM authentication is being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
 
NTLM is a weaker authentication mechanism. Please check:
 
      Which applications are using NTLM authentication?
      Are there configuration issue preventing the use stronger authentication such as Kerberos authentication?
      If NTLM must be supported, is Extended Protection configured?
 
Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

Sigma Rules

• NTLMv1 Logon Between Client and Server
  Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.

Message

An authentication request for package %1 was rejected because the target information was invalid.  The authentication request did not match the target name of %2.

Fields

Message

A CredSSP authentication to %1 failed to negotiate a common protocol version.  The remote host offered version %2 which is not permitted by Encryption Oracle Remediation.

See https://go.microsoft.com/fwlink/?linkid=866660 for more information.

Fields

Message

A secret object private to LSA was queried by a client. This object was returned in encrypted format for security reasons.

References

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6144
• Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6144

Message

An error occurred while retrieving new Central Access Policies for this machine.

Could not retrieve policies for the following DNs:
%1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6145
• Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6145

Message

An error occurred while processing new Central Access Policies for this machine. Validation failed for the following Central Access Rule referenced by one or more of the Central Access Policies:

	Error:		%1

	Name:		%2
	Description:	%3

Fields

Message

Credential Guard is configured to run, but is not licensed. Credential Guard was not started.

Message

The PDC completed an automatic trust scan operation for all trusts with no errors.

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Example Event

system:
  provider: LsaSrv
  guid: 199FE037-2B82-40A9-82AC-E1D46C792B99
  event_source_name: ''
  event_id: 6148
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:08:01.191328+00:00'
  event_record_id: 1299
  correlation: {}
  execution:
    process_id: 664
    thread_id: 2808
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The PDC completed an automatic trust scan operation for all trusts and encountered at least one error.

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Message

The PDC completed an administrator-requested trust scan operation for the trust '%1' with no errors.

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Fields

Message

The PDC was unable to find the specified trust '%1' to scan. The trust either does not exist or it is neither an inbound or bidirectional trust.

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Fields

Message

The PDC completed an administrator-requested trust scan operation for the trust '%1' and encountered an error. The security of the local forest is unaffected by this error. The trusting forest may be at risk until the issue is resolved.

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Fields

Message

The PDC encountered an error trying to scan the named trust. The security of the local forest is unaffected by this error. The trusting forest may be at risk until the issue is resolved.

Trust: %1

Error: %2(%3)

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Fields

Message

Possible use of roaming Credential Manager credentials with Credential Guard detected. This feature is unsupported. Refer to Credential Guard documentation for more details.

Message

LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.

PackageName: %1

Fields

Example Event

system:
  provider: LsaSrv
  guid: 199FE037-2B82-40A9-82AC-E1D46C792B99
  event_source_name: ''
  event_id: 6155
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:27.966390+00:00'
  event_record_id: 1665
  correlation:
    ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
  execution:
    process_id: 808
    thread_id: 812
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  PackageName: msv1_0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Credential Guard auto enablement status.

Hardware Requirements for Virtualization Based Security:	%1
Domain Joined:	%2
Azure AD Joined:	%3
 Licensed for Credential Guard:	%4
Domain Controller:	%5

Fields

Example Event

system:
  provider: LsaSrv
  guid: 199FE037-2B82-40A9-82AC-E1D46C792B99
  event_source_name: ''
  event_id: 6156
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:27.300426+00:00'
  event_record_id: 1655
  correlation: {}
  execution:
    process_id: 808
    thread_id: 812
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  HardwareChecks: 1
  ADDomainJoin: 0
  AADDomainJoin: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The PDC completed a background trust scan operation of the named trust.

Trust: %1

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Fields

Message

Error reading Credential Guard (LsaIso.exe) UEFI configuration: %1

Fields

Message

LsaIso.exe, the host process for Credential Guard and Key Guard, failed to launch: %1

Fields

Message

Credential Guard configuration: %1, %2, %3

Fields

Message

Key Guard was started and will protect VSM-isolated keys.

Message

Credential Guard was started and will protect LSA credentials.

Message

Credential Guard is configured but the secure kernel is not running; continuing without Credential Guard.

Message

VBS bound machine secret is present but falling back to LSA bound secret.
Credential Guard running status: %1
VBS bound secret validity: %2

Fields

Message

Machine Identity Isolation status:
Credential Guard running: %1
Group Policy: %2
Machine secret source: %3
VBS bound secret validity: %4

Fields

Message

There is a partial mismatch in the machine ID. This indicates that the ticket has either been manipulated or it belongs to a different boot session. Failing authentication.

Message

LogonSession alive after interactive user logoff. Indicates a possible token leak in one of the services. 
Logon ID:%1
Account Name:%2
Domain Name:%3

Fields

Message

Moving the existing logon scripts from {OldScripts} to {NewScripts} failed.  The return code is the data.

Fields

Message

Running the Security Configuration Editor over the Domain Controller encountered a non-fatal error.  Further details can be obtained by examining the log file {Logfile}.  The return code is the data.

Fields

Message

An existing; incompatible trust object was found on the parent server for domain {DomainName}.  It has been removed and replaced with an updated trust.

Fields

Message

Failed to disable auto logon following the successful upgrade of a domain controller.  Unable to delete registry key {Path}.  The return code is the data.

Fields

Message

Failed to set the default logon domain to {DomainName}.  The return code is the data.

Fields

Message

During the demotion operation; the trust object on {ParentName} could not be removed.

Fields

Message

Dcpromo failed to configure the new starttype of {Flags} for the service {ServiceName} during forced demotion.

Fields

Message

Dcpromo failed to remove the dependency of {ServiceName} on {Dependency} during forced demotion.

Fields

Message

The interdomain trust account for the domain {Domain} could not be deleted. The return code is the data.

Fields

Message

The interdomain trust account for the domain {Domain} could not be created. The return code is the data.

Fields

Message

A lookup request was made that required connectivity to a domain controller in domain %1. The LSA was unable to find a domain controller in the domain and thus failed the request. Please check connectivity and secure channel setup from this domain controller to the domain %2.

Fields

Message

A lookup request was made that required connectivity to the domain controller %1. The local LSA was unable to contact the LSA on the remote domain controller. Please check connectivity and secure channel setup from this domain controller to the domain controller %2.

Fields

Message

A lookup request was made that required the lookup services on the remote domain controller %1. The remote domain controller failed the request thus the local LSA failed the original lookup request. Please check connectivity and secure channel setup from this domain controller to the domain controller %2.

Fields

Message

The LSA was unable to register its RPC interface over the TCP/IP interface. Please make sure that the protocol is properly installed.

Message

The name {Name} was translated to SID {SID} from the trusted forest {Forest}. The domain portion of the SID is not in the list of acceptable SID's found on the trusted domain object; thus this name to SID translation has been ignored.

Fields

Fields

Message

The LSA was unable to notify UBPM during startup with status %1.

Fields

Message

The Security System detected an authentication error for the server %1. The failure code from authentication protocol %2 was %3.

Fields

Message

The Security System could not establish a secured connection with the server %1. No authentication protocol was available.

Fields

Message

The Security System was unable to authenticate to the server %1 because the server has completed the authentication, but the client authentication protocol %2 has not.

Fields

Message

The Security System received an authentication attempt with an unknown authentication protocol. The request has failed.

Message

The Security System has selected %2 for the authentication protocol to server %1.

Fields

Message

The Security System has received an authentication attempt, and determined that the protocol %1 preferred by the client is acceptable.

Fields

Message

The Security System has received an authentication request directly for authentication protocol %1.

Fields

Message

The Security System has received an authentication request that could not be decoded. The request has failed.

Message

The Security System has received an authentication attempt, and determined that the protocol %1 is the common protocol.

Fields

Message

The Security System has detected a downgrade attempt when contacting the 3-part SPN 



 %1 



 with error code %2. Authentication was denied.

Fields

Message

Logon cache was disabled. Intermittent authentication failures may result during periods of network latency or interrupts. Please contact your system administrator.

Message

A failed logon attempt has caused a logon cache entry for user %1 to be deleted. The authentication package was %2, and the error message was %3.

Fields

Message

A logon cache entry for user %1 was the oldest entry and was removed. The timestamp of this entry was %2.

Fields