feat: add RDS log to `logon-summary` #1476

fukusuket · 2024-11-07T13:42:14Z

What Changed

Closed Add RDP logon/logoff info to logon-summary #1468
Closed Bug: logon-summary crash #1477

Evidence

Integration-Test

All commands completed successfully.
https://github.com/Yamato-Security/hayabusa/actions/runs/11724197180

I would appreciate it if you could check it out when you have time🙏

fukusuket · 2024-11-07T14:17:37Z

baseline-evtx v8

ukusuke@fukusukenoMacBook-Air hayabusa-2.19.0-mac-aarch64 % ./hayabusa-2.19.0-mac-aarch64 logon-summary -d ../all-evtx -q
Generating Logon Summary

Start time: 2024/11/07 23:15

Total event log files: 2,239
Total file size: 8.8 GB

Currently scanning for the logon summary. Please wait.

[00:00:59] 2,203 / 2,239 ⠐ [=======================================>] 98%

"../all-evtx/Logs_Win11/Microsoft-Windows-BitLocker-DrivePreparationTool%4Admin.evtx"

Total Event Records: 6,611,184

First Timestamp: 2009-07-14 13:56:45.074 +09:00
Last Timestamp: 2023-11-06 15:25:53.238 +09:00

Logon Summary:

Successful Logons:
╭────────────┬────────────┬─────────────────┬──────────────────────────┬─────────────────┬───────────────────╮
│ Successful ┆ Event      ┆ Target Account  ┆ Target Computer          ┆ Source Computer ┆ Source IP Address │
╞════════════╪════════════╪═════════════════╪══════════════════════════╪═════════════════╪═══════════════════╡
│ 260        ┆ Sec 4624   ┆ SYSTEM          ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 193        ┆ Sec 4624   ┆ SYSTEM          ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 121        ┆ Sec 4624   ┆ Système         ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 100        ┆ Sec 4624   ┆ Système         ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 42         ┆ Sec 4624   ┆ SYSTEM          ┆ evtx-PC                  ┆                 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 40         ┆ Sec 4624   ┆ SYSTEM          ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 34         ┆ Sec 4624   ┆ Système         ┆ WIN-KPO4DDU11AB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 30         ┆ Sec 4624   ┆ SYSTEM          ┆ WIN-TKC15D7KHUR          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 23         ┆ Sec 4624   ┆ SYSTEM          ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 19         ┆ Sec 4624   ┆ SYSTEM          ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 18         ┆ Sec 4624   ┆ SYSTEM          ┆ WinDevEval               ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 16         ┆ Sec 4624   ┆ user            ┆ DESKTOP-A8CALR3          ┆ DESKTOP-A8CALR3 ┆ 127.0.0.1         │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 12         ┆ Sec 4624   ┆ SYSTEM          ┆ Agamemnon                ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 12         ┆ Sec 4624   ┆ evtx            ┆ evtx-PC                  ┆ EVTX-PC         ┆ 127.0.0.1         │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 12         ┆ Sec 4624   ┆ SYSTEM          ┆ WIN-VR474TJ38H3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 10         ┆ Sec 4624   ┆ DWM-1           ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 9          ┆ Sec 4624   ┆ SYSTEM          ┆ evtx-PC                  ┆                 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 8          ┆ Sec 4624   ┆ testme          ┆ DESKTOP-6D0DBMB          ┆ DESKTOP-6D0DBMB ┆ 127.0.0.1         │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 8          ┆ Sec 4624   ┆ SYSTEM          ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 8          ┆ RDS-LSM 21 ┆ Administrator   ┆ WinDevEval               ┆ -               ┆ LOCAL             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 7          ┆ RDS-LSM 21 ┆ evtx            ┆ evtx-PC                  ┆ -               ┆ LOCAL             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 7          ┆ Sec 4624   ┆ SYSTEM          ┆ 37L4247D28-05            ┆                 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 7          ┆ Sec 4624   ┆ SYSTEM          ┆ evtx-PC                  ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 7          ┆ Sec 4624   ┆ ANONYMOUS LOGON ┆ evtx-PC                  ┆                 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 6          ┆ Sec 4624   ┆ DWM-1           ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 6          ┆ Sec 4624   ┆ SYSTEM          ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 6          ┆ Sec 4624   ┆ NETWORK SERVICE ┆ evtx-PC                  ┆                 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 6          ┆ Sec 4624   ┆ LOCAL SERVICE   ┆ evtx-PC                  ┆                 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 5          ┆ RDS-LSM 21 ┆ user            ┆ DESKTOP-A8CALR3          ┆ -               ┆ LOCAL             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 5          ┆ Sec 4624   ┆ NETWORK SERVICE ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 5          ┆ Sec 4624   ┆ LOCAL SERVICE   ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 5          ┆ Sec 4624   ┆ UMFD-1          ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 5          ┆ Sec 4624   ┆ UMFD-0          ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 4          ┆ Sec 4624   ┆ SYSTEM          ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 4          ┆ RDS-LSM 21 ┆ Administrator   ┆ WIN-TKC15D7KHUR          ┆ -               ┆ LOCAL             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 4          ┆ Sec 4624   ┆ User            ┆ WinDev2310Eval           ┆ WINDEV2310EVAL  ┆ 127.0.0.1         │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 4          ┆ Sec 4624   ┆ DWM-1           ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 3          ┆ RDS-LSM 21 ┆ testme          ┆ DESKTOP-6D0DBMB          ┆ -               ┆ LOCAL             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 3          ┆ RDS-LSM 21 ┆ neo             ┆ Agamemnon                ┆ -               ┆ 88.152.90.161     │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 3          ┆ Sec 4624   ┆ Système         ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 3          ┆ Sec 4624   ┆ LOCAL SERVICE   ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 3          ┆ RDS-LSM 21 ┆ Administrator   ┆ WIN-FPV0DSIC9O6.sigma.fr ┆ -               ┆ LOCAL             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 3          ┆ Sec 4624   ┆ NETWORK SERVICE ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 3          ┆ Sec 4624   ┆ UMFD-1          ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 3          ┆ Sec 4624   ┆ UMFD-0          ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ DWM-1           ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ RDS-LSM 21 ┆ Administrator   ┆ WIN-06FB45IHQ35          ┆ -               ┆ LOCAL             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ user            ┆ DESKTOP-A8CALR3          ┆ DESKTOP-A8CALR3 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ defaultuser0    ┆ DESKTOP-6D0DBMB          ┆ WIN-KPO4DDU11AB ┆ 127.0.0.1         │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ DWM-2           ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ DWM-1           ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ DWM-1           ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ DWM-1           ┆ WIN-VR474TJ38H3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ DWM-1           ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ defaultuser0    ┆ DESKTOP-A8CALR3          ┆ WIN-VR474TJ38H3 ┆ 127.0.0.1         │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ SERVICE RÉSEAU  ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ DWM-2           ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ DWM-1           ┆ WIN-KPO4DDU11AB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ SYSTEM          ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ SERVICE LOCAL   ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ defaultuser0    ┆ DESKTOP-A8CALR3          ┆ WIN-VR474TJ38H3 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ DWM-1           ┆ WIN-TKC15D7KHUR          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ defaultuser0    ┆ DESKTOP-6D0DBMB          ┆ WIN-KPO4DDU11AB ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ RDS-LSM 21 ┆ defaultuser0    ┆ DESKTOP-A8CALR3          ┆ -               ┆ LOCAL             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ UMFD-0          ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ DWM-1           ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ testme          ┆ DESKTOP-6D0DBMB          ┆ WIN-KPO4DDU11AB ┆ 127.0.0.1         │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ RDS-LSM 21 ┆ User            ┆ WinDev2310Eval           ┆ -               ┆ LOCAL             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ UMFD-1          ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ testme          ┆ DESKTOP-6D0DBMB          ┆ WIN-KPO4DDU11AB ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ evtx            ┆ evtx-PC                  ┆ WIN-DQ6SQUGKQRD ┆ 127.0.0.1         │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624   ┆ defaultuser0    ┆ DESKTOP-A8CALR3          ┆ DESKTOP-A8CALR3 ┆ 127.0.0.1         │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-1          ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ NETWORK SERVICE ┆ 37L4247D28-05            ┆                 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ LOCAL SERVICE   ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ Système         ┆ WIN-KPO4DDU11AB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ NETWORK SERVICE ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-2          ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ NETWORK SERVICE ┆ WIN-TKC15D7KHUR          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ NETWORK SERVICE ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ LOCAL SERVICE   ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ NETWORK SERVICE ┆ WIN-VR474TJ38H3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-0          ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ SYSTEM          ┆ WIN-VR474TJ38H3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-2          ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ SERVICE LOCAL   ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ LOCAL SERVICE   ┆ 37L4247D28-05            ┆                 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ IUSR            ┆ WIN-TKC15D7KHUR          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-1          ┆ WIN-KPO4DDU11AB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ LOCAL SERVICE   ┆ WIN-TKC15D7KHUR          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ RDS-LSM 21 ┆ Administrator   ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ LOCAL             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ LOCAL SERVICE   ┆ evtx-PC                  ┆                 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-0          ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ Administrator   ┆ WIN-FPV0DSIC9O6          ┆ WIN-FPV0DSIC9O6 ┆ 127.0.0.1         │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ NETWORK SERVICE ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ NETWORK SERVICE ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-0          ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-0          ┆ WIN-TKC15D7KHUR          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ LOCAL SERVICE   ┆ WIN-VR474TJ38H3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ SERVICE LOCAL   ┆ WIN-KPO4DDU11AB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-1          ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-1          ┆ DESKTOP-A8CALR3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ SYSTEM          ┆ 37L4247D28-05            ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ SERVICE RÉSEAU  ┆ DESKTOP-6D0DBMB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ ANONYMOUS LOGON ┆ 37L4247D28-05            ┆                 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ RDS-LSM 21 ┆ defaultuser0    ┆ DESKTOP-6D0DBMB          ┆ -               ┆ LOCAL             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ LOCAL SERVICE   ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-0          ┆ WIN-KPO4DDU11AB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-1          ┆ WIN-VR474TJ38H3          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ Administrator   ┆ WIN-TKC15D7KHUR          ┆ WIN-TKC15D7KHUR ┆ 127.0.0.1         │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ SERVICE RÉSEAU  ┆ WIN-KPO4DDU11AB          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-1          ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-0          ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-1          ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ NETWORK SERVICE ┆ evtx-PC                  ┆                 ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-1          ┆ WIN-TKC15D7KHUR          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-0          ┆ WIN-FPV0DSIC9O6          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ SYSTEM          ┆ WIN-TKC15D7KHUR          ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ LOCAL SERVICE   ┆ WinDev2310Eval           ┆ -               ┆ -                 │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624   ┆ UMFD-0          ┆ WIN-VR474TJ38H3          ┆ -               ┆ -                 │
╰────────────┴────────────┴─────────────────┴──────────────────────────┴─────────────────┴───────────────────╯



Failed Logons:
╭────────┬──────────┬────────────────┬─────────────────┬─────────────────┬───────────────────╮
│ Failed ┆ Event    ┆ Target Account ┆ Target Computer ┆ Source Computer ┆ Source IP Address │
╞════════╪══════════╪════════════════╪═════════════════╪═════════════════╪═══════════════════╡
│ 2      ┆ Sec 4625 ┆ testme         ┆ DESKTOP-6D0DBMB ┆ WIN-KPO4DDU11AB ┆ -                 │
├╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤

Elapsed time: 00:00:59.596

fukusuket · 2024-11-07T14:19:24Z

hayabusa-sample-evtx/YamatoSecurity

fukusuke@fukusukenoMacBook-Air hayabusa-2.19.0-mac-aarch64 % ./hayabusa-2.19.0-mac-aarch64 logon-summary -d ../hayabusa-sample-evtx/YamatoSecurity -q
Generating Logon Summary

Start time: 2024/11/07 23:18

Total event log files: 15
Total file size: 1044.5 KB

Currently scanning for the logon summary. Please wait.

[00:00:00] 14 / 15 ⠁ [=====================================>  ] 93%

"../hayabusa-sample-evtx/YamatoSecurity/Vulnerabilities/App_1_CVE-Detected.evtx"

Total Event Records: 203

First Timestamp: 2020-01-19 03:14:29.831 +09:00
Last Timestamp: 2024-11-04 22:59:32.624 +09:00

Logon Summary:

Successful Logons:
╭────────────┬─────────────┬────────────────┬───────────────────────────┬─────────────────┬───────────────────────────╮
│ Successful ┆ Event       ┆ Target Account ┆ Target Computer           ┆ Source Computer ┆ Source IP Address         │
╞════════════╪═════════════╪════════════════╪═══════════════════════════╪═════════════════╪═══════════════════════════╡
│ 6          ┆ Sec 4624    ┆ DC1$           ┆ dc1.test.local            ┆                 ┆ fe80::7191:d555:270f:4d0b │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 6          ┆ Sec 4624    ┆ DC1$           ┆ dc1.test.local            ┆                 ┆ ::1                       │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 5          ┆ Sec 4624    ┆ DC-SERVER-1$   ┆ DC-Server-1.labcorp.local ┆                 ┆ fe80::e50e:b89e:4718:3aa  │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 5          ┆ Sec 4624    ┆ DC-SERVER-1$   ┆ DC-Server-1.labcorp.local ┆                 ┆ ::1                       │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ Sec 4624    ┆ Bob            ┆ DC-Server-1.labcorp.local ┆                 ┆ 192.168.1.2               │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 2          ┆ RDS-GTW 302 ┆ Administrator  ┆ EC2AMAZ-6C3C9U6           ┆ -               ┆ 219.100.37.243            │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624    ┆ DC-SERVER-1$   ┆ DC-Server-1.labcorp.local ┆                 ┆ 192.168.1.100             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624    ┆ Alice          ┆ DC-Server-1.labcorp.local ┆                 ┆ 192.168.1.200             │
├╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 1          ┆ Sec 4624    ┆ DC1$           ┆ dc1.test.local            ┆                 ┆ 192.168.20.11             │
╰────────────┴─────────────┴────────────────┴───────────────────────────┴─────────────────┴───────────────────────────╯

fukusuket · 2024-11-07T14:21:26Z

hayabusa-sample-evtx

% ./hayabusa-2.19.0-mac-aarch64 logon-summary -d ../hayabusa-sample-evtx/ -q -o logon
Generating Logon Summary

Start time: 2024/11/07 23:21

Total event log files: 598
Total file size: 139.2 MB

Currently scanning for the logon summary. Please wait.

[00:00:01] 552 / 598 ⠚ [====================================>   ] 92%

"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1547-Boot or Logon Autostart Execution/ID12-LSA Protect mode enabled RunAsPPL.evtx"

Total Event Records: 47,623

Successful logon results: logon-successful.csv (10.6 KB)
Failed logon results: logon-failed.csv (328.2 KB)

Elapsed time: 00:00:01.258

cat logon-successful.csv
Successful,Event,Target Account,Target Domain,Target Computer,Logon Type,Source Account,Source Domain,Source Computer,Source IP Address
220,Sec 4624,SYSTEM,NT AUTHORITY,IE8Win7,5 - Service,IE8WIN7$,WORKGROUP,,-
84,Sec 4624,SYSTEM,NT AUTHORITY,IE10Win7,5 - Service,IE10WIN7$,WORKGROUP,,-
40,Sec 4624,admmig,OFFSEC,fs03vuln.offsec.lan,3 - Network,-,-,,10.23.123.11
32,Sec 4624,SYSTEM,NT AUTHORITY,IE9Win7,5 - Service,IE9WIN7$,WORKGROUP,,-
30,Sec 4624,IEUser,IE8Win7,IE8Win7,2 - Interactive,IE8WIN7$,WORKGROUP,IE8WIN7,127.0.0.1
19,Sec 4624,SYSTEM,NT AUTHORITY,IE8Win7,0 - System,-,-,-,-
19,Sec 4624,ANONYMOUS LOGON,NT AUTHORITY,IE8Win7,3 - Network,-,-,,-
19,Sec 4624,admmig,OFFSEC.LAN,rootdc1.offsec.lan,3 - Network,-,-,-,10.23.23.9
18,Sec 4624,LOCAL SERVICE,NT AUTHORITY,IE8Win7,5 - Service,IE8WIN7$,WORKGROUP,,-
18,Sec 4624,IEUser,IE10WIN7,IE10Win7,2 - Interactive,IE10WIN7$,WORKGROUP,IE10WIN7,127.0.0.1
18,Sec 4624,NETWORK SERVICE,NT AUTHORITY,IE8Win7,5 - Service,IE8WIN7$,WORKGROUP,,-
15,Sec 4624,SYSTEM,NT AUTHORITY,IE8Win7,5 - Service,WIN-QALA5Q3KJ43$,WORKGROUP,,-
14,Sec 4624,admmig,OFFSEC,fs03vuln.offsec.lan,3 - Network,-,-,,10.23.23.9
14,Sec 4624,01566S-WIN16-IR$,THREEBEESCO.COM,01566s-win16-ir.threebeesco.com,3 - Network,-,-,-,::1
9,Sec 4624,admmig,OFFSEC,fs02.offsec.lan,3 - Network,-,-,-,10.23.23.9
8,Sec 4624,NETWORK SERVICE,NT AUTHORITY,IE10Win7,5 - Service,IE10WIN7$,WORKGROUP,,-
8,Sec 4624,ANONYMOUS LOGON,NT AUTHORITY,IE10Win7,3 - Network,-,-,,-
8,Sec 4624,SYSTEM,NT AUTHORITY,PC02.example.corp,5 - Service,PC02$,EXAMPLE,,-
8,Sec 4624,LOCAL SERVICE,NT AUTHORITY,IE10Win7,5 - Service,IE10WIN7$,WORKGROUP,,-
8,Sec 4624,admmig,OFFSEC.LAN,mssql01.offsec.lan,3 - Network,-,-,-,10.23.23.9
8,Sec 4624,admmig,OFFSEC,srvdefender01.offsec.lan,3 - Network,-,-,-,10.23.123.11
8,Sec 4624,SYSTEM,NT AUTHORITY,IE10Win7,0 - System,-,-,-,-
7,Sec 4624,SYSTEM,NT AUTHORITY,37L4247D28-05,5 - Service,37L4247D28-05$,WORKGROUP,,-
6,Sec 4624,lambda-user,OFFSEC.LAN,rootdc1.offsec.lan,3 - Network,-,-,-,10.23.23.9
6,Sec 4624,DC1$,TEST.LOCAL,dc1.test.local,3 - Network,-,-,,::1
6,Sec 4624,DC1$,TEST.LOCAL,dc1.test.local,3 - Network,-,-,,fe80::7191:d555:270f:4d0b
6,Sec 4624,hack1,OFFSEC,FS03.offsec.lan,3 - Network,-,-,-,10.23.42.38
6,Sec 4624,admmig,OFFSEC.LAN,fs01.offsec.lan,3 - Network,-,-,-,10.23.23.9
6,Sec 4624,IEUser,IE9WIN7,IE9Win7,2 - Interactive,IE9WIN7$,WORKGROUP,IE9WIN7,127.0.0.1
5,Sec 4624,DC-SERVER-1$,LABCORP.LOCAL,DC-Server-1.labcorp.local,3 - Network,-,-,,::1
5,Sec 4624,DC-SERVER-1$,LABCORP.LOCAL,DC-Server-1.labcorp.local,3 - Network,-,-,,fe80::e50e:b89e:4718:3aa
5,Sec 4624,admmig,OFFSEC,FS03.offsec.lan,3 - Network,-,-,-,10.23.123.11
5,Sec 4624,admmig,OFFSEC.LAN,srvdefender01.offsec.lan,3 - Network,-,-,-,10.23.42.22
4,Sec 4624,admmig,OFFSEC.LAN,adfs01.offsec.lan,3 - Network,-,-,-,10.23.23.9
4,Sec 4624,admmig,OFFSEC.LAN,exchange01.offsec.lan,3 - Network,-,-,-,10.23.23.9
4,Sec 4624,admmig,OFFSEC.LAN,webiis01.offsec.lan,3 - Network,-,-,-,10.23.23.9
4,Sec 4624,admmig,OFFSEC.LAN,wsus01.offsec.lan,3 - Network,-,-,-,10.23.23.9
4,Sec 4624,WIN-77LTAPHIQ1R$,EXAMPLE,WIN-77LTAPHIQ1R.example.corp,3 - Network,-,-,,fe80::79bf:8ee2:433c:2567
4,Sec 4624,admmig,OFFSEC.LAN,prtg-mon.offsec.lan,3 - Network,-,-,-,10.23.23.9
4,Sec 4624,Administrator,EXAMPLE,WIN-77LTAPHIQ1R.example.corp,3 - Network,-,-,,10.0.2.17
4,Sec 4624,admmig,OFFSEC.LAN,atacore01.offsec.lan,3 - Network,-,-,-,10.23.23.9
4,Sec 4624,admmig,OFFSEC.LAN,dhcp01.offsec.lan,3 - Network,-,-,-,10.23.23.9
4,Sec 4624,admmig,OFFSEC.LAN,pki01.offsec.lan,3 - Network,-,-,-,10.23.23.9
4,Sec 4624,admmig,OFFSEC.LAN,atanids01.offsec.lan,3 - Network,-,-,-,10.23.23.9
4,Sec 4624,ROOTDC1$,OFFSEC.LAN,rootdc1.offsec.lan,3 - Network,-,-,-,fe80::1cae:5aa4:9d8d:106a
4,Sec 4624,Administrator,WINLAB.LOCAL,wind10.winlab.local,3 - Network,-,-,-,192.168.1.219
3,Sec 4624,WIN-77LTAPHIQ1R$,EXAMPLE,WIN-77LTAPHIQ1R.example.corp,3 - Network,-,-,,::1
3,Sec 4624,IEUser,IE8Win7,IE8Win7,4 - Batch,IE8WIN7$,WORKGROUP,IE8WIN7,-
3,Sec 4624,lgrove,3B,01566s-win16-ir.threebeesco.com,3 - Network,-,-,04246W-WIN10,172.16.66.19
3,Sec 4624,LOCAL SERVICE,NT AUTHORITY,IE9Win7,5 - Service,IE9WIN7$,WORKGROUP,,-
3,Sec 4624,SYSTEM,NT AUTHORITY,IE9Win7,0 - System,-,-,-,-
3,Sec 4624,ANONYMOUS LOGON,NT AUTHORITY,IE9Win7,3 - Network,-,-,,-
3,Sec 4624,NETWORK SERVICE,NT AUTHORITY,IE9Win7,5 - Service,IE9WIN7$,WORKGROUP,,-
2,Sec 4624,IEUser,MSEDGEWIN10,MSEDGEWIN10,9 - NewInteractive,IEUser,MSEDGEWIN10,-,::1
2,Sec 4624,user01,EXAMPLE,WIN-77LTAPHIQ1R.example.corp,3 - Network,-,-,,10.0.2.17
2,Sec 4624,ANONYMOUS LOGON,offsec,fs03vuln.offsec.lan,3 - Network,-,-,,10.23.123.11
2,Sec 4624,ROOTDC1$,OFFSEC.LAN,rootdc1.offsec.lan,3 - Network,-,-,-,::1
2,Sec 4624,IEUser,IE8Win7,IE8Win7,2 - Interactive,WIN-QALA5Q3KJ43$,WORKGROUP,WIN-QALA5Q3KJ43,127.0.0.1
2,Sec 4624,IEUser,IE8Win7,IE8Win7,2 - Interactive,IE8WIN7$,WORKGROUP,IE8WIN7,-
2,Sec 4624,IEUser,PC02,PC02.example.corp,2 - Interactive,PC02$,EXAMPLE,PC02,127.0.0.1
2,Sec 4624,a-jbrown,THREEBEESCO.COM,01566s-win16-ir.threebeesco.com,3 - Network,-,-,-,172.16.66.142
2,RDS-GTW 302,Administrator,-,EC2AMAZ-6C3C9U6,-,-,-,-,219.100.37.243
2,Sec 4624,Bob,LABCORP.LOCAL,DC-Server-1.labcorp.local,3 - Network,-,-,,192.168.1.2
2,Sec 4624,hack1,OFFSEC,FS03.offsec.lan,2 - Interactive,admmig,OFFSEC,FS03,::1
2,Sec 4624,Administrator,3B,01566s-win16-ir.threebeesco.com,3 - Network,-,-,-,172.16.66.37
2,Sec 4624,ANONYMOUS LOGON,NT AUTHORITY,01566s-win16-ir.threebeesco.com,3 - Network,-,-,02694W-WIN10,172.16.66.37
2,Sec 4624,SYSTEM,NT AUTHORITY,SANS-TBT570,5 - Service,SANS-TBT570$,WORKGROUP,,-
2,Sec 4624,admmig,OFFSEC,mssql01.offsec.lan,3 - Network,-,-,-,10.23.123.11
2,Sec 4624,ANONYMOUS LOGON,NT AUTHORITY,PC02.example.corp,3 - Network,-,-,PC01,10.0.2.17
2,Sec 4624,admin01,EXAMPLE,PC01.example.corp,3 - Network,-,-,PC02,-
2,Sec 4624,IEUser,MSEDGEWIN10,MSEDGEWIN10,2 - Interactive,IEUser,MSEDGEWIN10,MSEDGEWIN10,-
1,Sec 4624,ATACORE01$,OFFSEC.LAN,rootdc1.offsec.lan,3 - Network,-,-,-,10.23.42.30
1,Sec 4624,ICORP-DC$,INTERNAL.CORP,ICORP-DC.internal.corp,3 - Network,-,-,-,::1
1,Sec 4624,user01,EXAMPLE,PC01.example.corp,7 - Unlock,PC01$,EXAMPLE,PC01,-
1,Sec 4624,user03,MSEDGEWIN10,MSEDGEWIN10,3 - Network,-,-,MSEDGEWIN10,127.0.0.1
1,Sec 4624,admin01,EXAMPLE,PC01.example.corp,10 - RemoteInteractive,PC01$,EXAMPLE,PC01,127.0.0.1
1,Sec 4624,IEUser,IEWIN7,IEWIN7,9 - NewInteractive,IEUser,IEWIN7,,::1
1,Sec 4624,not_existing_user,OFFSEC,fs02.offsec.lan,3 - Network,-,-,-,10.23.23.9
1,Sec 4624,ANONYMOUS LOGON,NT AUTHORITY,WIN-77LTAPHIQ1R.example.corp,3 - Network,-,-,NULL,10.0.2.17
1,Sec 4624,lgrove,THREEBEESCO.COM,01566s-win16-ir.threebeesco.com,3 - Network,-,-,-,172.16.66.19
1,Sec 4624,admmig,OFFSEC,fs01.offsec.lan,3 - Network,-,-,-,10.23.123.11
1,Sec 4624,user01,EXAMPLE,PC01.example.corp,11 - CachedInteractive,PC01$,EXAMPLE,PC01,127.0.0.1
1,Sec 4624,admmig,OFFSEC,fs03vuln.offsec.lan,3 - Network,-,-,0Konuy9q8HtkWeKS,10.23.123.11
1,Sec 4624,SYSTEM,NT AUTHORITY,37L4247D28-05,0 - System,-,-,-,-
1,Sec 4624,EXCHANGE$,ICORP,ICORP-DC.internal.corp,3 - Network,-,-,EXCHANGE,192.168.111.87
1,Sec 4624,sshd_4332,VIRTUAL USERS,fs01.offsec.lan,5 - Service,FS01$,OFFSEC,-,-
1,Sec 4624,FS02$,OFFSEC.LAN,rootdc1.offsec.lan,3 - Network,-,-,-,10.23.42.18
1,Sec 4624,hack1,OFFSEC,rootdc1.offsec.lan,3 - Network,-,-,-,10.23.123.11
1,Sec 4624,ANONYMOUS LOGON,NT AUTHORITY,fs03vuln.offsec.lan,3 - Network,-,-,,127.0.0.1
1,Sec 4624,LOCAL SERVICE,NT AUTHORITY,37L4247D28-05,5 - Service,37L4247D28-05$,WORKGROUP,,-
1,Sec 4624,Administrator,EXAMPLE,WIN-77LTAPHIQ1R.example.corp,3 - Network,-,-,,-
1,Sec 4624,ANONYMOUS LOGON,NT AUTHORITY,fs03vuln.offsec.lan,3 - Network,-,-,,10.23.123.11
1,Sec 4624,admmig,OFFSEC,FS03.offsec.lan,9 - NewInteractive,admmig,OFFSEC,-,::1
1,Sec 4624,ANONYMOUS LOGON,NT AUTHORITY,37L4247D28-05,3 - Network,-,-,,-
1,Sec 4624,test10,OFFSEC,FS03.offsec.lan,3 - Network,admmig,OFFSEC,FS03,-
1,Sec 4624,samir,3B,01566s-win16-ir.threebeesco.com,3 - Network,-,-,02694W-WIN10,172.16.66.25
1,Sec 4624,IEUser,MSEDGEWIN10,MSEDGEWIN10,3 - Network,svc01,MSEDGEWIN10,MSEDGEWIN10,-
1,Sec 4624,ANONYMOUS LOGON,NT AUTHORITY,alice.insecurebank.local,3 - Network,-,-,-,127.0.0.1
1,Sec 4624,SYSTEM,NT AUTHORITY,01566s-win16-ir.threebeesco.com,5 - Service,01566S-WIN16-IR$,3B,-,-
1,Sec 4624,Administrator,THREEBEESCO.COM,02694w-win10.threebeesco.com,3 - Network,-,-,-,127.0.0.1
1,Sec 4624,SYSTEM,NT AUTHORITY,PC02.example.corp,0 - System,-,-,-,-
1,Sec 4624,LOCAL SERVICE,NT AUTHORITY,IE8Win7,5 - Service,WIN-QALA5Q3KJ43$,WORKGROUP,,-
1,Sec 4624,lambda-user,OFFSEC.LAN,rootdc1.offsec.lan,3 - Network,-,-,-,-
1,Sec 4624,a-jbrown,3B,01566s-win16-ir.threebeesco.com,3 - Network,-,-,04246W-WIN10,172.16.66.142
1,Sec 4624,DC-SERVER-1$,LABCORP.LOCAL,DC-Server-1.labcorp.local,3 - Network,-,-,,192.168.1.100
1,Sec 4624,LOCAL SERVICE,NT AUTHORITY,PC02.example.corp,5 - Service,PC02$,EXAMPLE,,-
1,Sec 4624,hack1,OFFSEC,rootdc1.offsec.lan,3 - Network,-,-,attacker,10.23.123.11
1,Sec 4624,ANONYMOUS LOGON,NT AUTHORITY,PC02.example.corp,3 - Network,-,-,,-
1,Sec 4624,NETWORK SERVICE,NT AUTHORITY,IE8Win7,5 - Service,WIN-QALA5Q3KJ43$,WORKGROUP,,-
1,Sec 4624,Alice,LABCORP,DC-Server-1.labcorp.local,3 - Network,-,-,,192.168.1.200
1,Sec 4624,sshd_5848,VIRTUAL USERS,fs01.offsec.lan,5 - Service,FS01$,OFFSEC,-,-
1,Sec 4624,admmhorvath,offsec,rootdc1.offsec.lan,3 - Network,-,-,-,10.23.123.11
1,Sec 4624,tbt570,SANS-TBT570,SANS-TBT570,3 - Network,-,-,WORKSTATION,127.0.0.1
1,Sec 4624,DC1$,TEST.LOCAL,dc1.test.local,3 - Network,-,-,,192.168.20.11
1,Sec 4624,sshd_server,PC02,PC02.example.corp,5 - Service,PC02$,EXAMPLE,PC02,-
1,Sec 4624,NETWORK SERVICE,NT AUTHORITY,PC02.example.corp,5 - Service,PC02$,EXAMPLE,,-
1,Sec 4624,admmig,OFFSEC,fs01.offsec.lan,3 - Network,-,-,-,-
1,Sec 4624,Administrator,EXAMPLE,WIN-77LTAPHIQ1R.example.corp,3 - Network,-,-,PC01,10.0.2.17
1,Sec 4624,user01,EXAMPLE,PC01.example.corp,9 - NewInteractive,user01,EXAMPLE,,::1
1,Sec 4624,Administrator,3B,01566s-win16-ir.threebeesco.com,3 - Network,-,-,02694W-WIN10,172.16.66.37
1,Sec 4624,SYSTEM,NT AUTHORITY,MSEDGEWIN10,5 - Service,MSEDGEWIN10$,WORKGROUP,-,-
1,Sec 4624,samir,3B,01566s-win16-ir.threebeesco.com,3 - Network,-,-,02694W-WIN10,-
1,Sec 4624,NETWORK SERVICE,NT AUTHORITY,37L4247D28-05,5 - Service,37L4247D28-05$,WORKGROUP,,-
1,Sec 4624,admmig,OFFSEC,fs01.offsec.lan,3 - Network,FS01$,OFFSEC,FS01,-
1,Sec 4624,02694W-WIN10$,THREEBEESCO.COM,01566s-win16-ir.threebeesco.com,3 - Network,-,-,-,172.16.66.25
1,Sec 4624,ICORP-DC$,INTERNAL.CORP,ICORP-DC.internal.corp,3 - Network,-,-,-,127.0.0.1
1,Sec 4624,IEUser,PC02,PC02.example.corp,10 - RemoteInteractive,PC02$,EXAMPLE,PC02,127.0.0.1

YamatoSecurity · 2024-11-07T21:20:16Z

@fukusuket Thanks so much!
I did get a crash, probably from a corrupted log:

[ERROR] timestamp parse error. input: null input contains invalid characters
thread 'main' panicked at src/timeline/metrics.rs:226:36:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Sorry I can't share the evtx file as its a private file.

YamatoSecurity · 2024-11-07T21:32:18Z

We should probably output errors to a log file like csv-timeline and at the end tell the user that errors were generated and to check the error log. Also be able to ignore errors with -Q, --quiet-errors Quiet errors mode: do not save error logs

fukusuket · 2024-11-07T22:29:55Z

@YamatoSecurity
Thank you so much for checking! I'll fix it!💪
Since this code has not been changed, I assume the error would still occur in previous release versions? (If so, it might be better to put it in ChangeLog as BufFix)

YamatoSecurity · 2024-11-07T22:53:44Z

@fukusuket Thanks! I tested on 2.18.0 and indeed it is a bug in previous versions as well so I created this issue: #1477

Let's fix the bug first with a different PR and then I will check the results of this PR.

fukusuket · 2024-11-08T00:36:52Z

@YamatoSecurity
I fixed to output the following message when EventID cannot be obtained!
Could you please check?🙏

% cat ./logs/errorlog-20241108_093230.log
[ERROR] Failed to parse EventID from EventFile: ../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx, EventRecordID: 8863827

YamatoSecurity

@fukusuket LGTM! Thanks so much!

feat: add RDS log to logon-summary

2c96968

fukusuket self-assigned this Nov 7, 2024

fukusuket added the enhancement New feature or request label Nov 7, 2024

fukusuket modified the milestones: 2.19.0, 3.0 3rd Year Anniversary Release Nov 7, 2024

fukusuket added 2 commits November 7, 2024 22:44

chg: add --thread 1

cf023ca

chg: add --thread 1

cd47202

fukusuket marked this pull request as ready for review November 7, 2024 14:24

fukusuket requested a review from YamatoSecurity November 7, 2024 14:25

fix: Output to error log if EventID cannot be obtained

22e6091

update changelog

b885620

YamatoSecurity approved these changes Nov 8, 2024

View reviewed changes

YamatoSecurity merged commit bf754af into main Nov 8, 2024
5 checks passed

YamatoSecurity deleted the 1468-add-rdp-logon-summary branch November 8, 2024 07:15

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add RDS log to `logon-summary` #1476

feat: add RDS log to `logon-summary` #1476

fukusuket commented Nov 7, 2024 •

edited

Loading

fukusuket commented Nov 7, 2024

fukusuket commented Nov 7, 2024

fukusuket commented Nov 7, 2024 •

edited

Loading

YamatoSecurity commented Nov 7, 2024

YamatoSecurity commented Nov 7, 2024

fukusuket commented Nov 7, 2024

YamatoSecurity commented Nov 7, 2024

fukusuket commented Nov 8, 2024 •

edited

Loading

YamatoSecurity left a comment

feat: add RDS log to logon-summary #1476

feat: add RDS log to logon-summary #1476

Conversation

fukusuket commented Nov 7, 2024 • edited Loading

What Changed

Evidence

Integration-Test

fukusuket commented Nov 7, 2024

baseline-evtx v8

fukusuket commented Nov 7, 2024

hayabusa-sample-evtx/YamatoSecurity

fukusuket commented Nov 7, 2024 • edited Loading

hayabusa-sample-evtx

YamatoSecurity commented Nov 7, 2024

YamatoSecurity commented Nov 7, 2024

fukusuket commented Nov 7, 2024

YamatoSecurity commented Nov 7, 2024

fukusuket commented Nov 8, 2024 • edited Loading

YamatoSecurity left a comment

Choose a reason for hiding this comment

feat: add RDS log to `logon-summary` #1476

feat: add RDS log to `logon-summary` #1476

fukusuket commented Nov 7, 2024 •

edited

Loading

fukusuket commented Nov 7, 2024 •

edited

Loading

fukusuket commented Nov 8, 2024 •

edited

Loading