detection.wiki

Microsoft-Windows-Security-Auditing › Event 5889

Event ID 5889 — An object was deleted from the COM+ Catalog.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Object Access → Other Object Access Events
Collection Priority
Recommended (Yamato Security, others)
Opcode
Info

Description

An object was deleted from the COM+ Catalog.

Message #

An object was deleted from the COM+ Catalog.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	COM+ Catalog Collection: %5
	Object Name: %6
	Object Details: %7
This event occurs when an object is deleted from the COM+ catalog.

Fields #

NameDescription
SubjectUserSid SID[Subject] Security ID
SubjectUserName UnicodeString[Subject] Account Name
SubjectUserDomainName UnicodeString[Subject] Account Domain
SubjectLogonId UInt64[Subject] Logon ID
ObjectCollectionName UnicodeString[Object] COM+ Catalog Collection
ObjectIdentifyingProperties UnicodeString[Object] Object Name
ObjectProperties UnicodeString[Object] Object Details

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5889,
    "version": 0,
    "level": 0,
    "task": 12290,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-05T22:30:46.980255+00:00",
    "event_record_id": 3332,
    "correlation": {
      "ActivityID": "59A0D65F-1037-0001-A7D6-A0593710DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 888
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "SYSTEM",
    "SubjectUserDomainName": "NT AUTHORITY",
    "SubjectLogonId": 999,
    "ObjectCollectionName": "Applications",
    "ObjectIdentifyingProperties": "\r\n\t\tID = {A14C837E-C9BC-4E79-B228-2A6CB72524A5}\r\n\t\tAppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}",
    "ObjectProperties": "\r\n\t\tName = VMware Snapshot Provider\r\n\t\tApplicationProxyServerName = \r\n\t\tProcessType = 2\r\n\t\tCommandLine = \r\n\t\tServiceName = vmvss\r\n\t\tRunAsUserType = 1\r\n\t\tIdentity = LocalSystem\r\n\t\tDescription = VMware Snapshot Provider\r\n\t\tIsSystem = N\r\n\t\tAuthentication = 6\r\n\t\tShutdownAfter = 3\r\n\t\tRunForever = N\r\n\t\tPassword = ********\r\n\t\tActivation = Local\r\n\t\tChangeable = Y\r\n\t\tDeleteable = Y\r\n\t\tCreatedBy = \r\n\t\tAccessChecksLevel = 1\r\n\t\tApplicationAccessChecksEnabled = 0\r\n\t\tcCOL_SecurityDescriptor = <Opaque>\r\n\t\tImpersonationLevel = 2\r\n\t\tAuthenticationCapability = 2\r\n\t\tCRMEnabled = 0\r\n\t\t3GigSupportEnabled = 0\r\n\t\tQueuingEnabled = 0\r\n\t\tQueueListenerEnabled = N\r\n\t\tEventsEnabled = 1\r\n\t\tProcessFlags = 0\r\n\t\tThreadMax = 0\r\n\t\tApplicationProxy = 0\r\n\t\tCRMLogFile = \r\n\t\tDumpEnabled = 0\r\n\t\tDumpOnException = 0\r\n\t\tDumpOnFailfast = 0\r\n\t\tMaxDumpCount = 5\r\n\t\tDumpPath = %systemroot%\\system32\\com\\dmp\r\n\t\tIsEnabled = 1\r\n\t\tAppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}\r\n\t\tConcurrentApps = 1\r\n\t\tRecycleLifetimeLimit = 0\r\n\t\tRecycleCallLimit = 0\r\n\t\tRecycleActivationLimit = 0\r\n\t\tRecycleMemoryLimit = 0\r\n\t\tRecycleExpirationTimeout = 15\r\n\t\tQCListenerMaxThreads = 0\r\n\t\tQCAuthenticateMsgs = 0\r\n\t\tApplicationDirectory = \r\n\t\tSRPTrustLevel = 262144\r\n\t\tSRPEnabled = 0\r\n\t\tSoapActivated = 0\r\n\t\tSoapVRoot = \r\n\t\tSoapMailTo = \r\n\t\tSoapBaseUrl = \r\n\t\tReplicable = 1"
  },
  "message": ""
}

References #