下面显示的是 Windows 日志事件 ID 4624。该日志似乎表明机器帐户server2$正在尝试以交互方式登录UMFD-3。
根据我的研究,UMFD 是由用户模式驱动框架组件生成的系统帐户文章。这也可以通过 JSON 中的目标用户 Sid 来确认。
server2$机器账户与用户交互登录是否正常UMFD-3?在什么情况下这被视为正常行为?
{
"TimeCreated":"2023-10-18T20:02:16.591442200Z",
"EventID":"4624",
"Task":12544,
"Correlation":{
"ActivityID":"{6a8486ef-9f7c-4654-a68c-2320d44b3d9d}"
},
"Keywords":"Audit Success",
"Channel":"Security",
"Opcode":"Info",
"Security":"",
"Provider":{
"Guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}",
"Name":"Microsoft-Windows-Security-Auditing"
},
"EventRecordID":685468077,
"Execution":{
"ThreadID":820,
"ProcessID":700
},
"Version":2,
"Computer":"server2.contoso.com",
"Level":"Information",
"EventData":{
"WorkstationName":"-",
"TargetDomainName":"Font Driver Host",
"VirtualAccount":"%%1842",
"SubjectUserSid":"S-1-5-18",
"TargetOutboundDomainName":"-",
"LogonProcessName":"Advapi",
"TargetLinkedLogonId":"0x532a6083",
"ImpersonationLevel":"%%1833",
"TargetUserName":"UMFD-3",
"TargetUserSid":"S-1-5-96-0-3",
"IpAddress":"-",
"ProcessId":"0x8f4",
"KeyLength":"0",
"ProcessName":"C:\\Windows\\System32\\winlogon.exe",
"SubjectUserName":"server2$",
"LogonType":"2",
"TargetOutboundUserName":"-",
"TransmittedServices":"-",
"LogonGuid":"{00000000-0000-0000-0000-000000000000}",
"SubjectLogonId":"0x3e7",
"ElevatedToken":"%%1843",
"RestrictedAdminMode":"-",
"TargetLogonId":"0x532a616b",
"IpPort":"-",
"AuthenticationPackageName":"Negotiate",
"LmPackageName":"-",
"SubjectDomainName":"contoso"
},
"Message":"An account was successfully logged on."
}