What is a 4672 special logon?
4672: Special privileges assigned to new logon. This event lets you know whenever an account assigned any “administrator equivalent” user rights logs on. For instance you will see event 4672 in close proximity to logon events (4624) for administrators since administrators have most of these admin-equivalent rights.
What is SeAssignPrimaryTokenPrivilege?
Description. SeAssignPrimaryTokenPrivilege. Replace a process-level token. Required to assign the primary token of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.
What is logon in Event Viewer?
Event ID 4624 (viewed in Windows Event Viewer) documents every successful attempt at logging on to a local computer. This event is generated on the computer that was accessed, in other words, where the logon session was created. A related event, Event ID 4625 documents failed logon attempts.
What is SeBackupPrivilege?
SeBackupPrivilege allows file content retrieval, even if the security descriptor on the file might not grant such access. A caller with SeBackupPrivilege enabled obviates the need for any ACL-based security check.
What is a potato exploit?
? Juicy Potato is a local privilege escalation tool created by Andrea Pierini and Giuseppe Trotta to exploit Windows service accounts’ impersonation privileges. The tool takes advantage of the SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege if enabled on the machine to elevate the local privileges to System.
How can I tell if someone is logged into my computer remotely?
Remotely
- Hold down the Windows Key, and press “R” to bring up the Run window.
- Type “CMD“, then press “Enter” to open a command prompt.
- At the command prompt, type the following then press “Enter“: query user /server:computername.
- The computer name or domain followed by the username is displayed.
What is Ntlmssp logon process?
Logon Type 3 is network logon. NTLMSSP (NT LAN Manager Security Support Provider) is a security support provider that is available on all versions of DCOM. It uses the Microsoft Windows NT LAN Manager (NTLM) protocol for authentication.
What is SeIncreaseWorkingSetPrivilege?
SeIncreaseWorkingSetPrivilege. Increase a process working set. Required to call SetProcessWorkingSetSize to increase the minimum working set. This indirectly allows the process to lock up to the minimum working set of memory using VirtualLock. SeLoadDriverPrivilege.
What is SeMachineAccountPrivilege?
AKA: SeMachineAccountPrivilege, Add workstations to domain. Default assignment: Authenticated Users This user right only has effect on domain controllers. It has no function on member servers or workstations. This right allows the holder to create up to 10 computer accounts in the domain.
What is juicy potato?
Juicy Potato is a local privilege escalation tool created by Andrea Pierini and Giuseppe Trotta to exploit Windows service accounts’ impersonation privileges. The tool takes advantage of the SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege if enabled on the machine to elevate the local privileges to System.
What is print spoofer?
PrintSpoofer exploit that can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10. To escalate privileges, the service account must have SeImpersonate privileges. To execute: PrintSpoofer.exe -i -c cmd.
What is a Type 2 logon?
An event with logon type=2 occurs whenever a user logs on (or attempts to log on) a computer locally, e.g. by typing user name and password on Windows logon prompt. Events with logon type = 2 occur when a user logs on with a local or a domain account.
What is Advapi process?
Advapi is the logon process IIS uses for handling Web logons. Logon type 8 indicates a network logon that uses a clear-text password, which is the case when someone uses basic authentication to log on to IIS.
What is logon type 10?
What does logon type 10 mean? Logon type 10 refers to remote interactive logons. Event ID 528 with logon type 10 means that the user logged on to the computer through RDP by using either Remote Desktop or Windows 2000 Server Terminal Services.
What is logon type 11?
Type 11-Cached Interactive logon—This is logged when users log on using cached credentials, which basically means that in the absence of a domain controller, you can still log on to your local machine using your domain credentials.