NTDS ISAM
16 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 102 | Directory Service | |
| 103 | Directory Service | |
| 105 | Directory Service | |
| 326 | Directory Service | |
| 327 | Directory Service | |
| 330 | Directory Service | |
| 609 | Directory Service | |
| 611 | Directory Service | |
| 612 | Directory Service | |
| 614 | Directory Service | |
| 643 | Directory Service | |
| 700 | Directory Service | |
| 701 | Directory Service | |
| 702 | Directory Service | |
| 703 | Directory Service | |
| 704 | Directory Service |
Event ID 102 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 102
version: 0
level: 4
task: 1
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T17:08:18.628934+00:00'
event_record_id: 106
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: ''
event_data:
Data:
- NTDS
- 664,P,98
- 'NTDSA: '
- '0'
- '10'
- '00'
- '20348'
- '0000'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 103 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 103
version: 0
level: 4
task: 1
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T08:12:40.502491+00:00'
event_record_id: 38
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6
security:
user_id: ''
event_data:
Data:
- NTDS
- 648,T,97
- 'NTDSA: '
- '0'
- '
[1] 0.000002 +J(0)
[2] 0.000450 -0.000425 (1) WT +J(0) +M(C:0K, Fs:23, WS:68K # 0K, PF:0K # 0K, P:0K)
[3] 0.000197 +J(CM:0, PgRf:47, Rd:0/0, Dy:5/55, Lg:2011/41) +M(C:0K, Fs:10, WS:-120K
# 0K, PF:-160K # 0K, P:-160K)
[4] 0.000003 +J(0)
[5] 0.028921 -0.018370 (9) WT +J(0) +M(C:96K, Fs:323, WS:364K # 0K, PF:360K #
0K, P:360K)
[6] 0.000022 +J(0)
[7] 0.000005 +J(0)
[8] 0.007311 -0.000947 (12) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3624/2) +M(C:0K,
Fs:112, WS:-40K # 0K, PF:-44K # 0K, P:-44K)
[9] 0.000265 -0.000122 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1)
[10] 0.000022 +J(0)
[11] 0.001534 -0.000111 (2) WT +J(0)
[12] 0.000021 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K)
[13] 0.000208 +J(0)
[14] 0.000988 +J(0) +M(C:0K, Fs:0, WS:-10248K # 0K, PF:-10264K # 0K, P:-10264K)
[15] 0.000007 +J(0).'
- '0'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 105 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 105
version: 0
level: 4
task: 1
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T17:08:18.628934+00:00'
event_record_id: 107
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: ''
event_data:
Data:
- NTDS
- 664,D,0
- 'NTDSA: '
- '0'
- '0'
- '
[1] 0.000559 +J(0) +M(C:0K, Fs:85, WS:320K # 0K, PF:3268K # 336K, P:3268K)
[2] 0.000295 +J(0) +M(C:16K, Fs:125, WS:496K # 276K, PF:292K # 292K, P:292K)
[3] 0.000032 +J(0) +M(C:0K, Fs:5, WS:20K # 20K, PF:64K # 64K, P:64K)
[4] 0.004285 -0.000162 (1) WT +J(0) +M(C:0K, Fs:117, WS:392K # 392K, PF:5996K
# 5996K, P:5996K)
[5] 0.000373 +J(0) +M(C:0K, Fs:5, WS:20K # 20K, PF:16K # 16K, P:16K)
[6] 0.093356 +J(0) +M(C:0K, Fs:22, WS:84K # 84K, PF:16K # 16K, P:16K)
[7] 0.406636 -0.392925 (21) WT +J(0) +M(C:0K, Fs:2579, WS:10296K # 10296K, PF:10260K
# 10260K, P:10260K)
[8] -
[9] -
[10] -
[11] -
[12] -
[13] 0.052375 -0.044024 (22) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:616/1) +M(C:0K,
Fs:8, WS:-10216K # 24K, PF:-10256K # 12K, P:-10256K)
[14] 0.000024 +J(0)
[15] 0.000367 +J(0) +M(C:0K, Fs:411, WS:1640K # 0K, PF:68K # 0K, P:68K)
[16] 0.000609 -0.000144 (1) WT +J(0) +M(C:0K, Fs:3, WS:4K # 0K, PF:0K # 0K, P:0K).'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 326 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 326
version: 0
level: 4
task: 1
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T17:08:18.628934+00:00'
event_record_id: 109
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: ''
event_data:
Data:
- NTDS
- 664,D,50
- 'NTDSA: '
- '1'
- C:\Windows\NTDS\ntds.dit
- '0'
- '
[1] 0.000035 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)
[2] 0.000508 -0.000194 (1) WT +J(0) +M(C:0K, Fs:19, WS:12K # 0K, PF:8K # 0K, P:8K)
[3] 0.046828 -0.018928 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K,
Fs:17, WS:56K # 0K, PF:112K # 0K, P:112K)
[4] 0.000119 +J(0)
[5] -
[6] -
[7] -
[8] 0.000937 -0.000295 (2) CM -0.000157 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0,
Lg:0/0) +M(C:16K, Fs:43, WS:164K # 0K, PF:212K # 0K, P:212K)
[9] 0.084201 -0.083499 (9) CM -0.082701 (9) WT +J(CM:9, PgRf:24, Rd:0/9, Dy:0/0,
Lg:0/0) +M(C:0K, Fs:32, WS:104K # 0K, PF:204K # 0K, P:204K)
[10] 0.001274 -0.000927 (3) CM -0.000672 (3) WT +J(CM:3, PgRf:40, Rd:0/3, Dy:0/0,
Lg:0/0) +M(C:0K, Fs:8, WS:24K # 0K, PF:64K # 0K, P:64K)
[11] 0.000047 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K #
0K, PF:0K # 0K, P:0K)
[12] 0.000046 +J(CM:0, PgRf:48, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:2, WS:8K #
0K, PF:0K # 0K, P:0K)
[13] 0.0 +J(0)
[14] 0.0 +J(0)
[15] 0.000003 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).'
- 0 0
- 'lgposAttach = 00000002:047E:0268,
dbv = 1568.20.0 (8920)'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 327 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 327
version: 0
level: 4
task: 1
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T08:12:33.396715+00:00'
event_record_id: 21
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6
security:
user_id: ''
event_data:
Data:
- NTDS
- 648,D,51
- 'NTDSA: '
- '1'
- C:\Windows\NTDS\ntds.dit
- '0'
- '
[1] 0.000002 +J(0)
[2] 0.0 +J(0)
[3] 0.004132 -0.004125 (1) WT +J(0) +M(C:44K, Fs:53, WS:100K # 0K, PF:48K # 0K,
P:48K)
[4] 0.000001 +J(0)
[5] 0.0 +J(0)
[6] 0.001773 -0.000372 (6) WT +J(0) +M(C:-16K, Fs:6, WS:-8K # 0K, PF:-16K # 0K,
P:-16K)
[7] 0.000029 +J(0)
[8] 0.000381 -0.000070 (2) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3902/2)
[9] 0.001097 -0.000213 (6) WT +J(0) +M(C:0K, Fs:4, WS:-20K # 0K, PF:-20K # 0K,
P:-20K)
[10] 0.000127 +J(0)
[11] 0.000069 +J(0) +M(C:0K, Fs:0, WS:-8K # 0K, PF:-8K # 0K, P:-8K).'
- 0 0
- lgposDetach = 00000001:00BA:00C2
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 330 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 330
version: 0
level: 4
task: 1
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T17:08:18.628934+00:00'
event_record_id: 108
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: ''
event_data:
Data:
- NTDS
- 664,D,50
- 'NTDSA: '
- C:\Windows\NTDS\ntds.dit
- 0x22D8 (8920)
- 8920 (0x22d8)
- 9360 (0x2490)
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 609 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 609
version: 0
level: 4
task: 5
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T08:12:33.307771+00:00'
event_record_id: 14
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6
security:
user_id: ''
event_data:
Data:
- NTDS
- 648,D,50
- 'NTDSA: '
- C:\Windows\NTDS\ntds.dit
- '10'
- '0'
- '20348'
- '0'
- '10'
- '0'
- '20348'
- '0'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 611 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 611
version: 0
level: 4
task: 5
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T08:12:33.375741+00:00'
event_record_id: 18
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6
security:
user_id: ''
event_data:
Data:
- NTDS
- 648,D,50
- 'NTDSA: '
- C:\Windows\NTDS\ntds.dit
- PDNT_index
- datatable
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 612 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 612
version: 0
level: 4
task: 5
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T08:12:33.381699+00:00'
event_record_id: 19
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6
security:
user_id: ''
event_data:
Data:
- NTDS
- 648,D,50
- 'NTDSA: '
- C:\Windows\NTDS\ntds.dit
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 614 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 614
version: 0
level: 3
task: 5
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T08:12:33.225114+00:00'
event_record_id: 6
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6
security:
user_id: ''
event_data:
Data:
- NTDS
- 648,D,50
- 'NTDSA: '
- C:\Windows\NTDS\ntds.dit
- INDEX_00000003
- datatable
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 643 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 643
version: 0
level: 3
task: 5
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T08:12:33.306746+00:00'
event_record_id: 13
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6
security:
user_id: ''
event_data:
Data:
- NTDS
- 648,D,50
- 'NTDSA: '
- C:\Windows\NTDS\ntds.dit
- en-US
- 00000001-57ee-1e5c-00b4-d0000bb1e11e
- 0006020F0006020F
- 00000001-57ee-1e5c-00b4-d0000bb1e11e
- '0006040300060403'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 700 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 700
version: 0
level: 4
task: 10
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T17:08:18.628934+00:00'
event_record_id: 111
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: ''
event_data:
Data:
- NTDS
- 664,D,0
- 'NTDSA: '
- C:\Windows\NTDS\ntds.dit
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 701 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 701
version: 0
level: 4
task: 10
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T17:08:20.816709+00:00'
event_record_id: 115
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: ''
event_data:
Data:
- NTDS
- 664,D,0
- 'NTDSA: '
- C:\Windows\NTDS\ntds.dit
- '3'
- 4/7/2022
- '1'
- '1'
- '1'
- '2'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 702 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 702
version: 0
level: 4
task: 10
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T08:29:41.505098+00:00'
event_record_id: 65
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: ''
event_data:
Data:
- NTDS
- 648,D,0
- 'NTDSA: '
- C:\Windows\NTDS\ntds.dit
- 4/7/2022
- '1'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 703 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 703
version: 0
level: 4
task: 10
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T08:29:41.520778+00:00'
event_record_id: 66
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: ''
event_data:
Data:
- NTDS
- 648,D,0
- 'NTDSA: '
- C:\Windows\NTDS\ntds.dit
- '10'
- 4/7/2022
- '0'
- '2'
- '1'
- '1'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 704 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: NTDS ISAM
guid: ''
event_source_name: ''
event_id: 704
version: 0
level: 4
task: 10
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T08:30:15.270773+00:00'
event_record_id: 70
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Directory Service
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: ''
event_data:
Data:
- NTDS
- 648,D,0
- 'NTDSA: '
- C:\Windows\NTDS\ntds.dit
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline