Elastic Windows Event Explorer

Publisher - Microsoft-Windows-Security-Auditing

Event ID 5381

Message:

Vault credentials were read.

Subject:
	Security ID:		%{SubjectUserSid}
	Account Name:		%{SubjectUserName}
	Account Domain:		%{SubjectDomainName}
	Logon ID:		%{SubjectLogonId}

This event occurs when a user enumerates stored vault credentials.

Event Data:

# Name In Type
 Out Type
1 SubjectUserSid win:SID xs:string
2 SubjectUserName win:UnicodeString xs:string
3 SubjectDomainName win:UnicodeString xs:string
4 SubjectLogonId win:HexInt64 win:HexInt64
5 Flags win:UInt32 xs:unsignedInt
6 CountOfCredentialsReturned win:UInt32 xs:unsignedInt
7 ProcessCreationTime win:FILETIME xs:dateTime
8 ClientProcessId win:UInt32 xs:unsignedInt

Observed Windows Versions:

Version: 0

Fingerprint: 4HFE7LOAUJX3K

Channels | Publishers | Search

© 2023. Elasticsearch B.V. All Rights Reserved | v0.0.5

Search: