下面顯示的是 Windows 日誌事件 ID 4624 server2$。UMFD-3
根據我的研究,UMFD是使用者模式驅動框架元件根據此產生的系統帳戶文章。這也可以透過 JSON 中的目標用戶 Sid 進行確認。
server2$機器帳號與使用者互動登入是否正常UMFD-3?在什麼情況下這被認為是正常行為?
{
"TimeCreated":"2023-10-18T20:02:16.591442200Z",
"EventID":"4624",
"Task":12544,
"Correlation":{
"ActivityID":"{6a8486ef-9f7c-4654-a68c-2320d44b3d9d}"
},
"Keywords":"Audit Success",
"Channel":"Security",
"Opcode":"Info",
"Security":"",
"Provider":{
"Guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}",
"Name":"Microsoft-Windows-Security-Auditing"
},
"EventRecordID":685468077,
"Execution":{
"ThreadID":820,
"ProcessID":700
},
"Version":2,
"Computer":"server2.contoso.com",
"Level":"Information",
"EventData":{
"WorkstationName":"-",
"TargetDomainName":"Font Driver Host",
"VirtualAccount":"%%1842",
"SubjectUserSid":"S-1-5-18",
"TargetOutboundDomainName":"-",
"LogonProcessName":"Advapi",
"TargetLinkedLogonId":"0x532a6083",
"ImpersonationLevel":"%%1833",
"TargetUserName":"UMFD-3",
"TargetUserSid":"S-1-5-96-0-3",
"IpAddress":"-",
"ProcessId":"0x8f4",
"KeyLength":"0",
"ProcessName":"C:\\Windows\\System32\\winlogon.exe",
"SubjectUserName":"server2$",
"LogonType":"2",
"TargetOutboundUserName":"-",
"TransmittedServices":"-",
"LogonGuid":"{00000000-0000-0000-0000-000000000000}",
"SubjectLogonId":"0x3e7",
"ElevatedToken":"%%1843",
"RestrictedAdminMode":"-",
"TargetLogonId":"0x532a616b",
"IpPort":"-",
"AuthenticationPackageName":"Negotiate",
"LmPackageName":"-",
"SubjectDomainName":"contoso"
},
"Message":"An account was successfully logged on."
}