Elastic Windows Event Explorer

Publisher - LsaSrv

Event ID 6182


LogonSession alive after interactive user logoff. Indicates a possible token leak in one of the services. 
Logon ID:%{TargetLogonId}
Account Name:%{AccountName}
Domain Name:%{DomainName}

Event Data:

# Name In Type
Out Type
1 TargetLogonId win:HexInt64 win:HexInt64
2 AccountName win:UnicodeString xs:string
3 DomainName win:UnicodeString xs:string

Observed Windows Versions:

Version: 0

Fingerprint: 6L55A6VRQM4QA