Could be a backup system or something like
that kicking off a ‘run as’… looks like it. I don’t know
the product though. Rob Robert Rutherford T: +44 (0) 8456 440
331 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ramon Linan Hi, So I decided to try out GFI event monitor, I am loving it so
far, but I am not a security expert so I am easy to impress. Anyway, I got a bunch of emails like the one below. Have you
guys seen something similar in your logs? Is this someone trying to hack
or a service trying to run something? Thanks Subject:
11/12/2006 12:28:38 PM "Run As" command used - to impersonate
Administrators - outside work hours - Critical - <servername> - 552 Logon
attempt using explicit credentials: Logged
on user: User
Name: administrator Domain:
domain Logon
ID: (0x2,0x9D018B17) Logon
GUID: {ec9c7758-8375-8064-3e03-8e860a568322} User
whose credentials were used: Target
User Name: administrator Target
Domain: domain.com Target
Logon GUID: {13d439ef-0597-c23e-aa24-8ca92f9e7730} Target
Server Name: server.domain.com Target
Server Info: cifs/server.domain.com Caller
Process ID: 1620 Source
Network Address: - .org/ |