NTDS ISAM
16 events across 1 channel
Event ID 102 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 102,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T17:08:18.628934+00:00",
"event_record_id": 106,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"664,P,98",
"NTDSA: ",
"0",
"10",
"00",
"20348",
"0000"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 103 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 103,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:12:40.502491+00:00",
"event_record_id": 38,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"648,T,97",
"NTDSA: ",
"0",
"\n[1] 0.000002 +J(0)\n[2] 0.000450 -0.000425 (1) WT +J(0) +M(C:0K, Fs:23, WS:68K # 0K, PF:0K # 0K, P:0K)\n[3] 0.000197 +J(CM:0, PgRf:47, Rd:0/0, Dy:5/55, Lg:2011/41) +M(C:0K, Fs:10, WS:-120K # 0K, PF:-160K # 0K, P:-160K)\n[4] 0.000003 +J(0)\n[5] 0.028921 -0.018370 (9) WT +J(0) +M(C:96K, Fs:323, WS:364K # 0K, PF:360K # 0K, P:360K)\n[6] 0.000022 +J(0)\n[7] 0.000005 +J(0)\n[8] 0.007311 -0.000947 (12) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3624/2) +M(C:0K, Fs:112, WS:-40K # 0K, PF:-44K # 0K, P:-44K)\n[9] 0.000265 -0.000122 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1)\n[10] 0.000022 +J(0)\n[11] 0.001534 -0.000111 (2) WT +J(0)\n[12] 0.000021 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K)\n[13] 0.000208 +J(0)\n[14] 0.000988 +J(0) +M(C:0K, Fs:0, WS:-10248K # 0K, PF:-10264K # 0K, P:-10264K)\n[15] 0.000007 +J(0).",
"0"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 105 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 105,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T17:08:18.628934+00:00",
"event_record_id": 107,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"664,D,0",
"NTDSA: ",
"0",
"0",
"\n[1] 0.000559 +J(0) +M(C:0K, Fs:85, WS:320K # 0K, PF:3268K # 336K, P:3268K)\n[2] 0.000295 +J(0) +M(C:16K, Fs:125, WS:496K # 276K, PF:292K # 292K, P:292K)\n[3] 0.000032 +J(0) +M(C:0K, Fs:5, WS:20K # 20K, PF:64K # 64K, P:64K)\n[4] 0.004285 -0.000162 (1) WT +J(0) +M(C:0K, Fs:117, WS:392K # 392K, PF:5996K # 5996K, P:5996K)\n[5] 0.000373 +J(0) +M(C:0K, Fs:5, WS:20K # 20K, PF:16K # 16K, P:16K)\n[6] 0.093356 +J(0) +M(C:0K, Fs:22, WS:84K # 84K, PF:16K # 16K, P:16K)\n[7] 0.406636 -0.392925 (21) WT +J(0) +M(C:0K, Fs:2579, WS:10296K # 10296K, PF:10260K # 10260K, P:10260K)\n[8] -\n[9] -\n[10] -\n[11] -\n[12] -\n[13] 0.052375 -0.044024 (22) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:616/1) +M(C:0K, Fs:8, WS:-10216K # 24K, PF:-10256K # 12K, P:-10256K)\n[14] 0.000024 +J(0)\n[15] 0.000367 +J(0) +M(C:0K, Fs:411, WS:1640K # 0K, PF:68K # 0K, P:68K)\n[16] 0.000609 -0.000144 (1) WT +J(0) +M(C:0K, Fs:3, WS:4K # 0K, PF:0K # 0K, P:0K)."
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 326 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 326,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T17:08:18.628934+00:00",
"event_record_id": 109,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"664,D,50",
"NTDSA: ",
"1",
"C:\\Windows\\NTDS\\ntds.dit",
"0",
"\n[1] 0.000035 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[2] 0.000508 -0.000194 (1) WT +J(0) +M(C:0K, Fs:19, WS:12K # 0K, PF:8K # 0K, P:8K)\n[3] 0.046828 -0.018928 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:17, WS:56K # 0K, PF:112K # 0K, P:112K)\n[4] 0.000119 +J(0)\n[5] -\n[6] -\n[7] -\n[8] 0.000937 -0.000295 (2) CM -0.000157 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:0/0) +M(C:16K, Fs:43, WS:164K # 0K, PF:212K # 0K, P:212K)\n[9] 0.084201 -0.083499 (9) CM -0.082701 (9) WT +J(CM:9, PgRf:24, Rd:0/9, Dy:0/0, Lg:0/0) +M(C:0K, Fs:32, WS:104K # 0K, PF:204K # 0K, P:204K)\n[10] 0.001274 -0.000927 (3) CM -0.000672 (3) WT +J(CM:3, PgRf:40, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:0K, Fs:8, WS:24K # 0K, PF:64K # 0K, P:64K)\n[11] 0.000047 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 0K, PF:0K # 0K, P:0K)\n[12] 0.000046 +J(CM:0, PgRf:48, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[13] 0.0 +J(0)\n[14] 0.0 +J(0)\n[15] 0.000003 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).",
"0 0",
"lgposAttach = 00000002:047E:0268,\ndbv = 1568.20.0 (8920)"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 327 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 327,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:12:33.396715+00:00",
"event_record_id": 21,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"648,D,51",
"NTDSA: ",
"1",
"C:\\Windows\\NTDS\\ntds.dit",
"0",
"\n[1] 0.000002 +J(0)\n[2] 0.0 +J(0)\n[3] 0.004132 -0.004125 (1) WT +J(0) +M(C:44K, Fs:53, WS:100K # 0K, PF:48K # 0K, P:48K)\n[4] 0.000001 +J(0)\n[5] 0.0 +J(0)\n[6] 0.001773 -0.000372 (6) WT +J(0) +M(C:-16K, Fs:6, WS:-8K # 0K, PF:-16K # 0K, P:-16K)\n[7] 0.000029 +J(0)\n[8] 0.000381 -0.000070 (2) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3902/2)\n[9] 0.001097 -0.000213 (6) WT +J(0) +M(C:0K, Fs:4, WS:-20K # 0K, PF:-20K # 0K, P:-20K)\n[10] 0.000127 +J(0)\n[11] 0.000069 +J(0) +M(C:0K, Fs:0, WS:-8K # 0K, PF:-8K # 0K, P:-8K).",
"0 0",
"lgposDetach = 00000001:00BA:00C2"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 330 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 330,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T17:08:18.628934+00:00",
"event_record_id": 108,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"664,D,50",
"NTDSA: ",
"C:\\Windows\\NTDS\\ntds.dit",
"0x22D8 (8920)",
"8920 (0x22d8)",
"9360 (0x2490)"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 609 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 609,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:12:33.307771+00:00",
"event_record_id": 14,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"648,D,50",
"NTDSA: ",
"C:\\Windows\\NTDS\\ntds.dit",
"10",
"0",
"20348",
"0",
"10",
"0",
"20348",
"0"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 611 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 611,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:12:33.375741+00:00",
"event_record_id": 18,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"648,D,50",
"NTDSA: ",
"C:\\Windows\\NTDS\\ntds.dit",
"PDNT_index",
"datatable"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 612 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 612,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:12:33.381699+00:00",
"event_record_id": 19,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"648,D,50",
"NTDSA: ",
"C:\\Windows\\NTDS\\ntds.dit"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 614 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 614,
"version": 0,
"level": 3,
"task": 5,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:12:33.225114+00:00",
"event_record_id": 6,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"648,D,50",
"NTDSA: ",
"C:\\Windows\\NTDS\\ntds.dit",
"INDEX_00000003",
"datatable"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 643 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 643,
"version": 0,
"level": 3,
"task": 5,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:12:33.306746+00:00",
"event_record_id": 13,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"648,D,50",
"NTDSA: ",
"C:\\Windows\\NTDS\\ntds.dit",
"en-US",
"00000001-57ee-1e5c-00b4-d0000bb1e11e",
"0006020F0006020F",
"00000001-57ee-1e5c-00b4-d0000bb1e11e",
"0006040300060403"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 700 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 700,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T17:08:18.628934+00:00",
"event_record_id": 111,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"664,D,0",
"NTDSA: ",
"C:\\Windows\\NTDS\\ntds.dit"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 701 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 701,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T17:08:20.816709+00:00",
"event_record_id": 115,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"664,D,0",
"NTDSA: ",
"C:\\Windows\\NTDS\\ntds.dit",
"3",
"4/7/2022",
"1",
"1",
"1",
"2"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 702 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 702,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:29:41.505098+00:00",
"event_record_id": 65,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"648,D,0",
"NTDSA: ",
"C:\\Windows\\NTDS\\ntds.dit",
"4/7/2022",
"1"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 703 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 703,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:29:41.520778+00:00",
"event_record_id": 66,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"648,D,0",
"NTDSA: ",
"C:\\Windows\\NTDS\\ntds.dit",
"10",
"4/7/2022",
"0",
"2",
"1",
"1"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 704 —
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "NTDS ISAM",
"guid": "",
"event_source_name": "",
"event_id": 704,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:30:15.270773+00:00",
"event_record_id": 70,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Directory Service",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"NTDS",
"648,D,0",
"NTDSA: ",
"C:\\Windows\\NTDS\\ntds.dit"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline