ESENT

36 events across 1 channel

Event	Title	Channel	Sample
102	Event ID 102	Application	Y
103	Event ID 103	Application	Y
105	Event ID 105	Application	Y
204	Event ID 204	Application	Y
205	Event ID 205	Application	Y
210	Event ID 210	Application	Y
213	Event ID 213	Application	Y
216	Event ID 216	Application	Y
220	Event ID 220	Application	Y
221	Event ID 221	Application	Y
223	Event ID 223	Application	Y
224	Event ID 224	Application	Y
225	Event ID 225	Application	Y
300	Event ID 300	Application	Y
301	Event ID 301	Application	Y
302	Event ID 302	Application	Y
325	Event ID 325	Application	Y
326	Event ID 326	Application	Y
327	Event ID 327	Application	Y
412	Event ID 412	Application	Y
413	Event ID 413	Application	Y
455	Event ID 455	Application	Y
471	Event ID 471	Application	Y
490	Event ID 490	Application	Y
492	Event ID 492	Application	Y
508	Event ID 508	Application	Y
533	Event ID 533	Application	Y
609	Event ID 609	Application	Y
612	Event ID 612	Application	Y
636	Event ID 636	Application	Y
637	Event ID 637	Application	Y
640	Event ID 640	Application	Y
700	Event ID 700	Application	Y
701	Event ID 701	Application	Y
2005	certsrv (13200,G,0) Shadow copy instance 1 starting.	Application	Y
2006	certsrv (13200,G,0) Shadow copy instance 1 completed successfully.	Application	Y

Event ID 102

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Data_7`
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 102,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T23:42:56.5564171+00:00",
    "event_record_id": 738,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "1540,P,98",
    "Data_2": "DS_Token_DB: ",
    "Data_3": "0",
    "Data_4": "10",
    "Data_5": "00",
    "Data_6": "20348",
    "Data_7": "0000"
  },
  "message": "svchost (1540,P,98) DS_Token_DB: The database engine (10.00.20348.0000) is starting a new instance (0)."
}

Event ID 103

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 103,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T06:33:21.4302230+00:00",
    "event_record_id": 666,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "DFSRs",
    "Data_1": "3760,T,97",
    "Data_2": "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: ",
    "Data_3": "0",
    "Data_4": "\n[1] 0.000004 +J(0)\n[2] 0.000012 +J(0)\n[3] 0.000018 +J(0)\n[4] 0.000002 +J(0)\n[5] 0.009739 -0.001981 (7) WT +J(0) +M(C:-8K, Fs:5, WS:-4K # 0K, PF:-8K # 0K, P:-8K)\n[6] 0.000009 +J(0)\n[7] 0.000007 +J(0)\n[8] 0.011066 -0.002733 (13) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3060/2) +M(C:0K, Fs:7, WS:-28K # 0K, PF:-28K # 0K, P:-28K)\n[9] 0.001829 -0.000283 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1) +M(C:0K, Fs:1, WS:4K # 0K, PF:20K # 0K, P:20K)\n[10] 0.000201 +J(0)\n[11] 0.002495 -0.001032 (2) WT +J(0)\n[12] 0.000017 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K)\n[13] 0.000183 +J(0) +M(C:0K, Fs:0, WS:-216K # 0K, PF:-228K # 0K, P:-228K)\n[14] 0.000036 +J(0) +M(C:0K, Fs:0, WS:-72K # 0K, PF:-92K # 0K, P:-92K)\n[15] 0.000004 +J(0).",
    "Data_5": "0"
  },
  "message": "DFSRs (3760,T,97) \\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: The database engine stopped the instance (0). \r\n \r\nDirty Shutdown: 0 \r\n \r\nInternal Timing Sequence: \n[1] 0.000004 +J(0)\n[2] 0.000012 +J(0)\n[3] 0.000018 +J(0)\n[4] 0.000002 +J(0)\n[5] 0.009739 -0.001981 (7) WT +J(0) +M(C:-8K, Fs:5, WS:-4K # 0K, PF:-8K # 0K, P:-8K)\n[6] 0.000009 +J(0)\n[7] 0.000007 +J(0)\n[8] 0.011066 -0.002733 (13) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3060/2) +M(C:0K, Fs:7, WS:-28K # 0K, PF:-28K # 0K, P:-28K)\n[9] 0.001829 -0.000283 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1) +M(C:0K, Fs:1, WS:4K # 0K, PF:20K # 0K, P:20K)\n[10] 0.000201 +J(0)\n[11] 0.002495 -0.001032 (2) WT +J(0)\n[12] 0.000017 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K)\n[13] 0.000183 +J(0) +M(C:0K, Fs:0, WS:-216K # 0K, PF:-228K # 0K, P:-228K)\n[14] 0.000036 +J(0) +M(C:0K, Fs:0, WS:-72K # 0K, PF:-92K # 0K, P:-92K)\n[15] 0.000004 +J(0)."
}

Event ID 105

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 105,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T23:42:56.6501654+00:00",
    "event_record_id": 742,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "1540,D,0",
    "Data_2": "DS_Token_DB: ",
    "Data_3": "0",
    "Data_4": "0",
    "Data_5": "\n[1] 0.000863 +J(0) +M(C:0K, Fs:138, WS:532K # 532K, PF:2652K # 2652K, P:2652K)\n[2] 0.000483 +J(0) +M(C:8K, Fs:126, WS:496K # 496K, PF:1216K # 1216K, P:1216K)\n[3] 0.000025 +J(0) +M(C:0K, Fs:14, WS:52K # 52K, PF:72K # 72K, P:72K)\n[4] 0.000198 +J(0) +M(C:0K, Fs:74, WS:296K # 296K, PF:184K # 184K, P:184K)\n[5] 0.002430 +J(0) +M(C:0K, Fs:48, WS:192K # 192K, PF:28K # 28K, P:28K)\n[6] 0.005455 +J(0) +M(C:0K, Fs:68, WS:272K # 272K, PF:48K # 48K, P:48K)\n[7] 0.002805 -0.000622 (2) WT +J(0) +M(C:0K, Fs:33, WS:132K # 132K, PF:64K # 64K, P:64K)\n[8] 0.027728 -0.010559 (11) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:16224/11) +M(C:0K, Fs:111, WS:300K # 304K, PF:212K # 216K, P:212K)\n[9] 0.000715 +J(0) +M(C:0K, Fs:5, WS:20K # 16K, PF:4K # 0K, P:4K)\n[10] 0.001094 -0.000385 (1) WT +J(0) +M(C:0K, Fs:0, WS:-60K # 0K, PF:-60K # 0K, P:-60K)\n[11] 0.000031 +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:49/1) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[12] 0.004739 -0.002736 (1) WT +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[13] 0.052292 -0.000596 (2) CM -0.023208 (23) WT +J(CM:2, PgRf:2, Rd:0/2, Dy:0/0, Lg:8759/5) +M(C:0K, Fs:53, WS:88K # 104K, PF:228K # 236K, P:228K)\n[14] 0.000020 +J(0)\n[15] 0.000016 +J(0)\n[16] 0.000886 -0.000177 (1) WT +J(0) +M(C:0K, Fs:2, WS:0K # 0K, PF:0K # 0K, P:0K).",
    "Data_6": "lgposV2[] = 00000003:0001:0000 - 00000003:0004:0367 - 00000003:0005:0000 - 00000003:0005:0000 (00000000:0000:0000)\ncReInits = 2\n"
  },
  "message": "svchost (1540,D,0) DS_Token_DB: The database engine started a new instance (0). (Time=0 seconds) \r\n \r\nAdditional Data:\r\n lgposV2[] = 00000003:0001:0000 - 00000003:0004:0367 - 00000003:0005:0000 - 00000003:0005:0000 (00000000:0000:0000)\ncReInits = 2\n \r\n \r\nInternal Timing Sequence: \n[1] 0.000863 +J(0) +M(C:0K, Fs:138, WS:532K # 532K, PF:2652K # 2652K, P:2652K)\n[2] 0.000483 +J(0) +M(C:8K, Fs:126, WS:496K # 496K, PF:1216K # 1216K, P:1216K)\n[3] 0.000025 +J(0) +M(C:0K, Fs:14, WS:52K # 52K, PF:72K # 72K, P:72K)\n[4] 0.000198 +J(0) +M(C:0K, Fs:74, WS:296K # 296K, PF:184K # 184K, P:184K)\n[5] 0.002430 +J(0) +M(C:0K, Fs:48, WS:192K # 192K, PF:28K # 28K, P:28K)\n[6] 0.005455 +J(0) +M(C:0K, Fs:68, WS:272K # 272K, PF:48K # 48K, P:48K)\n[7] 0.002805 -0.000622 (2) WT +J(0) +M(C:0K, Fs:33, WS:132K # 132K, PF:64K # 64K, P:64K)\n[8] 0.027728 -0.010559 (11) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:16224/11) +M(C:0K, Fs:111, WS:300K # 304K, PF:212K # 216K, P:212K)\n[9] 0.000715 +J(0) +M(C:0K, Fs:5, WS:20K # 16K, PF:4K # 0K, P:4K)\n[10] 0.001094 -0.000385 (1) WT +J(0) +M(C:0K, Fs:0, WS:-60K # 0K, PF:-60K # 0K, P:-60K)\n[11] 0.000031 +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:49/1) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[12] 0.004739 -0.002736 (1) WT +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[13] 0.052292 -0.000596 (2) CM -0.023208 (23) WT +J(CM:2, PgRf:2, Rd:0/2, Dy:0/0, Lg:8759/5) +M(C:0K, Fs:53, WS:88K # 104K, PF:228K # 236K, P:228K)\n[14] 0.000020 +J(0)\n[15] 0.000016 +J(0)\n[16] 0.000886 -0.000177 (1) WT +J(0) +M(C:0K, Fs:2, WS:0K # 0K, PF:0K # 0K, P:0K)."
}

Event ID 204

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 204,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:07:16.380817+00:00",
    "event_record_id": 4241,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv.exe",
    "Data_1": "14016,P,98",
    "Data_2": "Restore0001: ",
    "Data_3": "C:\\Windows\\system32\\CertLog\\",
    "Data_4": "C:\\Windows\\system32\\CertLog\\",
    "Binary": ""
  },
  "message": ""
}

Event ID 205

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 205,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:07:16.486548+00:00",
    "event_record_id": 4247,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv.exe",
    "Data_1": "14016,U,98",
    "Data_2": "Restore0001: ",
    "Binary": ""
  },
  "message": ""
}

Event ID 210

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 210,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T16:22:59+00:00",
    "event_record_id": 94,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "WinMail",
      "280",
      "WindowsMail0: "
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 213

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 213,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T16:23:00+00:00",
    "event_record_id": 99,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "WinMail",
      "280",
      "WindowsMail0: "
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 216

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description	Rules
`Data`		1 detection rule

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 216,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2021-06-05T19:36:36.537144+00:00",
    "event_record_id": 442136,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "rootdc1.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "lsass",
      "548",
      "",
      "C:\\Windows\\NTDS\\ntds.dit",
      "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy5\\Windows\\NTDS\\ntds.dit"
    ]
  },
  "message": ""
}

Detection Patterns #

Credential Access: NTDS

ESENT Event ID 216OREvent ID 325OREvent ID 326OREvent ID 327ORSecurity-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 11: FileCreate

1 rule

Sigma

Ntdsutil Abuse (source)

Nasreddine Bencherchali (Nextron Systems)

Credential Access: NTDS

ESENT Event ID 216OREvent ID 325OREvent ID 326OREvent ID 327

1 rule

Sigma

Ntdsutil Abuse (source)

Nasreddine Bencherchali (Nextron Systems)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Data`	contains	`ntds.dit`	1 rule	sigma
`Provider_Name`	eq	`ESENT`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

YARA-L # view in coverage

MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report source: Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf↳ also matches Event ID 325, Event ID 326, Event ID 327

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 220

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 220,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T16:22:59+00:00",
    "event_record_id": 95,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "WinMail",
      "280",
      "WindowsMail0: ",
      "C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore",
      "2 Mb"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 221

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 221,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T16:22:59+00:00",
    "event_record_id": 96,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "WinMail",
      "280",
      "WindowsMail0: ",
      "C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 223

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 223,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T16:23:00+00:00",
    "event_record_id": 97,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "WinMail",
      "280",
      "WindowsMail0: ",
      "C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log",
      "C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 224

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 224,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:06:22.480449+00:00",
    "event_record_id": 4227,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv.exe",
    "Data_1": "13036,D,81",
    "Data_2": "",
    "Data_3": "C:\\Windows\\system32\\CertLog\\edb00001.log",
    "Data_4": "C:\\Windows\\system32\\CertLog\\edb00001.log",
    "Binary": ""
  },
  "message": ""
}

Event ID 225

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 225,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T13:41:34.6041240+00:00",
    "event_record_id": 654,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "3664,U,98",
    "Data_2": "PeerDistPubCacheJetInstance: "
  },
  "message": "svchost (3664,U,98) PeerDistPubCacheJetInstance: No log files can be truncated. "
}

Event ID 300

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 300,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T23:42:56.5564171+00:00",
    "event_record_id": 739,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "1540,R,98",
    "Data_2": "DS_Token_DB: "
  },
  "message": "svchost (1540,R,98) DS_Token_DB: The database engine is initiating recovery steps."
}

Event ID 301

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 301,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T23:42:56.5876674+00:00",
    "event_record_id": 740,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "1540,R,98",
    "Data_2": "DS_Token_DB: ",
    "Data_3": "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSS.log",
    "Data_4": "\n[1] 0.019763 -0.009452 (8) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:16224/11) +M(C:0K, Fs:85, WS:204K # 208K, PF:132K # 136K, P:132K).",
    "Data_5": "AttachDB ",
    "Data_6": "2"
  },
  "message": "svchost (1540,R,98) DS_Token_DB: The database engine has finished replaying logfile C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSS.log. \r\n \r\nProcessing Stats: \n[1] 0.019763 -0.009452 (8) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:16224/11) +M(C:0K, Fs:85, WS:204K # 208K, PF:132K # 136K, P:132K). \r\nLog record of type 'AttachDB ' was seen most frequently (2 times)"
}

Event ID 302

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 302,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T23:42:56.6345413+00:00",
    "event_record_id": 741,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "1540,U,98",
    "Data_2": "DS_Token_DB: "
  },
  "message": "svchost (1540,U,98) DS_Token_DB: The database engine has successfully completed recovery steps."
}

Event ID 325

Provider: ESENT
Channel: Application
Level: Informational
Collection Priority: Recommended (ASD)

Fields #

Name	Description	Rules
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Data_7`
`Data_8`
`Data`		8 detection rules

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 325,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T16:38:30.9959300+00:00",
    "event_record_id": 734,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "DFSRs",
    "Data_1": "3832,D,35",
    "Data_2": "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: ",
    "Data_3": "1",
    "Data_4": "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db",
    "Data_5": "0",
    "Data_6": "\n[1] 0.000175 +J(0) +M(C:0K, Fs:5, WS:20K # 0K, PF:8K # 0K, P:8K)\n[2] 0.002483 -0.000148 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:4, WS:16K # 0K, PF:0K # 0K, P:0K)\n[3] 0.017793 -0.000003 (3) WT +J(0) +M(C:0K, Fs:11, WS:36K # 0K, PF:20K # 0K, P:20K)\n[4] 0.000373 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[5] 0.003502 -0.000716 (3) WT +J(CM:0, PgRf:3, Rd:0/0, Dy:3/6, Lg:122/4) +M(C:0K, Fs:42, WS:160K # 0K, PF:244K # 0K, P:244K)\n[6] 0.007479 -0.000235 (2) WT +J(CM:0, PgRf:209, Rd:0/0, Dy:12/408, Lg:24454/447) +M(C:0K, Fs:75, WS:300K # 0K, PF:220K # 0K, P:220K)\n[7] 0.002184 -0.000263 (3) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:4096/3) +M(C:0K, Fs:4, WS:8K # 0K, PF:0K # 0K, P:0K)\n[8] 0.000003 +J(0)\n[9] 0.006297 -0.004371 (4) WT +J(0) +M(C:-52K, Fs:10, WS:-20K # 0K, PF:-44K # 0K, P:-44K)\n[10] 0.009886 -0.000596 (5) WT +J(CM:0, PgRf:348, Rd:0/0, Dy:7/93, Lg:12509/130) +M(C:12K, Fs:47, WS:180K # 0K, PF:96K # 0K, P:96K)\n[11] 0.000005 +J(0).",
    "Data_7": "0 0",
    "Data_8": "lgposCreate = 00000001:0001:0268,\ndbv = 1568.180.400 (9360)"
  },
  "message": "DFSRs (3832,D,35) \\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: The database engine created a new database (1, \\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db). (Time=0 seconds) \r\n \r\nAdditional Data: lgposCreate = 00000001:0001:0268,\ndbv = 1568.180.400 (9360) \r\n \r\nInternal Timing Sequence: \n[1] 0.000175 +J(0) +M(C:0K, Fs:5, WS:20K # 0K, PF:8K # 0K, P:8K)\n[2] 0.002483 -0.000148 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:4, WS:16K # 0K, PF:0K # 0K, P:0K)\n[3] 0.017793 -0.000003 (3) WT +J(0) +M(C:0K, Fs:11, WS:36K # 0K, PF:20K # 0K, P:20K)\n[4] 0.000373 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[5] 0.003502 -0.000716 (3) WT +J(CM:0, PgRf:3, Rd:0/0, Dy:3/6, Lg:122/4) +M(C:0K, Fs:42, WS:160K # 0K, PF:244K # 0K, P:244K)\n[6] 0.007479 -0.000235 (2) WT +J(CM:0, PgRf:209, Rd:0/0, Dy:12/408, Lg:24454/447) +M(C:0K, Fs:75, WS:300K # 0K, PF:220K # 0K, P:220K)\n[7] 0.002184 -0.000263 (3) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:4096/3) +M(C:0K, Fs:4, WS:8K # 0K, PF:0K # 0K, P:0K)\n[8] 0.000003 +J(0)\n[9] 0.006297 -0.004371 (4) WT +J(0) +M(C:-52K, Fs:10, WS:-20K # 0K, PF:-44K # 0K, P:-44K)\n[10] 0.009886 -0.000596 (5) WT +J(CM:0, PgRf:348, Rd:0/0, Dy:7/93, Lg:12509/130) +M(C:12K, Fs:47, WS:180K # 0K, PF:96K # 0K, P:96K)\n[11] 0.000005 +J(0)."
}

Detection Patterns #

Credential Access: NTDS

ESENT Event ID 216OREvent ID 325OREvent ID 326OREvent ID 327ORSecurity-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 11: FileCreate

2 rules

Sigma

Ntdsutil Abuse (source)

Nasreddine Bencherchali (Nextron Systems)

IFM detected - ESENT (installation from media) (source)

mdecrevoisier

Credential Access: NTDS

ESENT Event ID 216OREvent ID 325OREvent ID 326OREvent ID 327

2 rules

Sigma

Ntdsutil Abuse (source)

Nasreddine Bencherchali (Nextron Systems)

IFM detected - ESENT (installation from media) (source)

mdecrevoisier

Credential Access: NTDS

ESENT Event ID 325OREvent ID 326OREvent ID 327

2 rules

Sigma

Ntdsutil Abuse (source)

Nasreddine Bencherchali (Nextron Systems)

IFM detected - ESENT (installation from media) (source)

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Data`	contains	`ntds.dit`	2 rules	sigma
`Data`	contains	`\desktop\`	1 rule	sigma
`Data`	contains	`\perflogs\`	1 rule	sigma
`Data`	contains	`\users\public\`	1 rule	sigma
`Provider_Name`	eq	`ESENT`	2 rules	sigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Dump Ntds.dit To Suspicious Location source medium: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location

YARA-L # view in coverage

MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report source: Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf↳ also matches Event ID 216, Event ID 326, Event ID 327

Event ID 326

Provider: ESENT
Channel: Application
Level: Informational
Collection Priority: Recommended (ASD)

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Data_7`
`Data_8`
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 326,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T23:42:56.6657933+00:00",
    "event_record_id": 743,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "1540,D,50",
    "Data_2": "DS_Token_DB: ",
    "Data_3": "1",
    "Data_4": "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSTokenDB2.dat",
    "Data_5": "0",
    "Data_6": "\n[1] 0.000003 +J(0)\n[2] 0.001071 -0.000515 (1) WT +J(0) +M(C:0K, Fs:17, WS:4K # 4K, PF:4K # 0K, P:4K)\n[3] 0.011507 -0.003172 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:7, WS:24K # 0K, PF:20K # 0K, P:20K)\n[4] 0.000893 +J(0)\n[5] -\n[6] -\n[7] -\n[8] 0.001077 -0.000873 (2) CM -0.000753 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:54/1) +M(C:8K, Fs:3, WS:12K # 0K, PF:28K # 0K, P:28K)\n[9] 0.002592 -0.002210 (3) CM -0.002046 (3) WT +J(CM:3, PgRf:23, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:8K, Fs:32, WS:128K # 100K, PF:208K # 192K, P:208K)\n[10] 0.000526 -0.000397 (1) CM -0.000348 (1) WT +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 16K, PF:64K # 64K, P:64K)\n[11] 0.000016 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K)\n[12] 0.000040 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:5, WS:20K # 20K, PF:0K # 0K, P:0K)\n[13] 0.0 +J(0)\n[14] 0.0 +J(0)\n[15] 0.000005 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).",
    "Data_7": "1 0",
    "Data_8": "lgposAttach = 00000003:0007:0268,\ndbv = 1568.180.400 (9360)"
  },
  "message": "svchost (1540,D,50) DS_Token_DB: The database engine attached a database (1, C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSTokenDB2.dat). (Time=0 seconds) \r\n \r\nSaved Cache: 1 0 \r\nAdditional Data: lgposAttach = 00000003:0007:0268,\ndbv = 1568.180.400 (9360) \r\n \r\nInternal Timing Sequence: \n[1] 0.000003 +J(0)\n[2] 0.001071 -0.000515 (1) WT +J(0) +M(C:0K, Fs:17, WS:4K # 4K, PF:4K # 0K, P:4K)\n[3] 0.011507 -0.003172 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:7, WS:24K # 0K, PF:20K # 0K, P:20K)\n[4] 0.000893 +J(0)\n[5] -\n[6] -\n[7] -\n[8] 0.001077 -0.000873 (2) CM -0.000753 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:54/1) +M(C:8K, Fs:3, WS:12K # 0K, PF:28K # 0K, P:28K)\n[9] 0.002592 -0.002210 (3) CM -0.002046 (3) WT +J(CM:3, PgRf:23, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:8K, Fs:32, WS:128K # 100K, PF:208K # 192K, P:208K)\n[10] 0.000526 -0.000397 (1) CM -0.000348 (1) WT +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 16K, PF:64K # 64K, P:64K)\n[11] 0.000016 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K)\n[12] 0.000040 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:5, WS:20K # 20K, PF:0K # 0K, P:0K)\n[13] 0.0 +J(0)\n[14] 0.0 +J(0)\n[15] 0.000005 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0)."
}

Detection Patterns #

Credential Access: NTDS

ESENT Event ID 216OREvent ID 325OREvent ID 326OREvent ID 327ORSecurity-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 11: FileCreate

2 rules

Sigma

Ntdsutil Abuse (source)

Nasreddine Bencherchali (Nextron Systems)

IFM detected - ESENT (installation from media) (source)

mdecrevoisier

Credential Access: NTDS

ESENT Event ID 216OREvent ID 325OREvent ID 326OREvent ID 327

2 rules

Sigma

Ntdsutil Abuse (source)

Nasreddine Bencherchali (Nextron Systems)

IFM detected - ESENT (installation from media) (source)

mdecrevoisier

Credential Access: NTDS

ESENT Event ID 325OREvent ID 326OREvent ID 327

2 rules

Sigma

Ntdsutil Abuse (source)

Nasreddine Bencherchali (Nextron Systems)

IFM detected - ESENT (installation from media) (source)

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Data`	contains	`ntds.dit`	1 rule	sigma
`Provider_Name`	eq	`ESENT`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

YARA-L # view in coverage

MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report source: Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf↳ also matches Event ID 216, Event ID 325, Event ID 327

Event ID 327

Provider: ESENT
Channel: Application
Level: Informational
Collection Priority: Recommended (ASD)

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Data_7`
`Data_8`
`Data`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 327,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T13:41:33.8541525+00:00",
    "event_record_id": 640,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "3908,D,51",
    "Data_2": "",
    "Data_3": "1",
    "Data_4": "C:\\Windows\\System32\\LServer\\TLSLic.edb",
    "Data_5": "0",
    "Data_6": "\n[1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[2] 0.000001 +J(0)\n[3] 0.000019 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[4] 0.000001 +J(0)\n[5] 0.000001 +J(0)\n[6] 0.003213 -0.000382 (1) WT +J(0) +M(C:0K, Fs:3, WS:12K # 0K, PF:0K # 0K, P:0K)\n[7] 0.000012 +J(0)\n[8] 0.001508 -0.000165 (2) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:4042/2)\n[9] 0.004767 -0.000426 (5) WT +J(0) +M(C:0K, Fs:1, WS:-20K # 0K, PF:-20K # 0K, P:-20K)\n[10] 0.001581 +J(0)\n[11] 0.000031 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K).",
    "Data_7": "0 0",
    "Data_8": "lgposDetach = 00000001:0002:0036"
  },
  "message": "svchost (3908,D,51) The database engine detached a database (1, C:\\Windows\\System32\\LServer\\TLSLic.edb). (Time=0 seconds) \r\n \r\nRevived Cache: 0 0 \r\nAdditional Data: lgposDetach = 00000001:0002:0036 \r\n \r\nInternal Timing Sequence: \n[1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[2] 0.000001 +J(0)\n[3] 0.000019 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[4] 0.000001 +J(0)\n[5] 0.000001 +J(0)\n[6] 0.003213 -0.000382 (1) WT +J(0) +M(C:0K, Fs:3, WS:12K # 0K, PF:0K # 0K, P:0K)\n[7] 0.000012 +J(0)\n[8] 0.001508 -0.000165 (2) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:4042/2)\n[9] 0.004767 -0.000426 (5) WT +J(0) +M(C:0K, Fs:1, WS:-20K # 0K, PF:-20K # 0K, P:-20K)\n[10] 0.001581 +J(0)\n[11] 0.000031 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K)."
}

Detection Patterns #

Credential Access: NTDS

ESENT Event ID 216OREvent ID 325OREvent ID 326OREvent ID 327ORSecurity-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 11: FileCreate

2 rules

Sigma

Ntdsutil Abuse (source)

Nasreddine Bencherchali (Nextron Systems)

IFM detected - ESENT (installation from media) (source)

mdecrevoisier

Credential Access: NTDS

ESENT Event ID 216OREvent ID 325OREvent ID 326OREvent ID 327

2 rules

Sigma

Ntdsutil Abuse (source)

Nasreddine Bencherchali (Nextron Systems)

IFM detected - ESENT (installation from media) (source)

mdecrevoisier

Credential Access: NTDS

ESENT Event ID 325OREvent ID 326OREvent ID 327

2 rules

Sigma

Ntdsutil Abuse (source)

Nasreddine Bencherchali (Nextron Systems)

IFM detected - ESENT (installation from media) (source)

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Data`	contains	`ntds.dit`	1 rule	sigma
`Provider_Name`	eq	`ESENT`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

YARA-L # view in coverage

MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report source: Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf↳ also matches Event ID 216, Event ID 325, Event ID 326

Event ID 412

Provider: ESENT
Channel: Application
Level: Error

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 412,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-12T03:05:00.384288+00:00",
    "event_record_id": 49444,
    "correlation": {},
    "execution": {
      "process_id": 3544,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "3544,R,98",
    "Data_2": "SRUJet: ",
    "Data_3": "C:\\Windows\\system32\\SRU\\SRU.log",
    "Data_4": "-501",
    "Binary": ""
  },
  "message": ""
}

Event ID 413

Provider: ESENT
Channel: Application
Level: Error

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 413,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-14T03:42:00.148167+00:00",
    "event_record_id": 37478,
    "correlation": {},
    "execution": {
      "process_id": 4016,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "4016,D,0",
    "Data_2": "SRUJet: ",
    "Data_3": "-1032",
    "Binary": ""
  },
  "message": ""
}

Event ID 455

Provider: ESENT
Channel: Application
Level: Error

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 455,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:03:01.690404+00:00",
    "event_record_id": 4186,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certutil.exe",
    "Data_1": "1736,R,98",
    "Data_2": "",
    "Data_3": "C:\\Windows\\system32\\CertLog\\edb.log",
    "Data_4": "-1032 (0xfffffbf8)",
    "Binary": ""
  },
  "message": ""
}

Event ID 471

Provider: ESENT
Channel: Application
Level: Error

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 471,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-14T03:42:00.150050+00:00",
    "event_record_id": 37480,
    "correlation": {},
    "execution": {
      "process_id": 4016,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "4016,D,43",
    "Data_2": "SRUJet: ",
    "Data_3": "1525",
    "Data_4": "C:\\Windows\\system32\\sru\\SRUDB.dat",
    "Data_5": "-510",
    "Binary": ""
  },
  "message": ""
}

Event ID 490

Provider: ESENT
Channel: Application
Level: Error

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 490,
    "version": 0,
    "level": 2,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:03:01.689833+00:00",
    "event_record_id": 4185,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certutil.exe",
    "Data_1": "1736,R,98",
    "Data_2": "",
    "Data_3": "C:\\Windows\\system32\\CertLog\\edb.log",
    "Data_4": "-1032 (0xfffffbf8)",
    "Data_5": "32 (0x00000020)",
    "Data_6": "The process cannot access the file because it is being used by another process. ",
    "Binary": ""
  },
  "message": ""
}

Event ID 492

Provider: ESENT
Channel: Application
Level: Error

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 492,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-14T03:42:00.149257+00:00",
    "event_record_id": 37479,
    "correlation": {},
    "execution": {
      "process_id": 4016,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "4016,D,0",
    "Data_2": "SRUJet: ",
    "Data_3": "C:\\Windows\\system32\\SRU\\",
    "Binary": ""
  },
  "message": ""
}

Event ID 508

Provider: ESENT
Channel: Application
Level: Warning

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 508,
    "version": 0,
    "level": 3,
    "task": 7,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T06:00:45.9773498+00:00",
    "event_record_id": 643,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "2656,D,0",
    "Data_2": "SoftwareUsageMetrics-Svc: ",
    "Data_3": "C:\\Windows\\system32\\LogFiles\\Sum\\Svc.log",
    "Data_4": "49152 (0x000000000000c000)",
    "Data_5": "4096 (0x00001000)",
    "Data_6": "15"
  },
  "message": "svchost (2656,D,0) SoftwareUsageMetrics-Svc: A request to write to the file \"C:\\Windows\\system32\\LogFiles\\Sum\\Svc.log\" at offset 49152 (0x000000000000c000) for 4096 (0x00001000) bytes succeeded, but took an abnormally long time (15 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem."
}

Event ID 533

Provider: ESENT
Channel: Application
Level: Warning

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Data_6`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 533,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-15T04:09:57.608199+00:00",
    "event_record_id": 5739,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "7392,T,0",
    "Data_2": "SRUJet: ",
    "Data_3": "C:\\Windows\\system32\\SRU\\SRU.chk",
    "Data_4": "0 (0x0000000000000000)",
    "Data_5": "4096 (0x00001000)",
    "Data_6": "36",
    "Binary": ""
  },
  "message": ""
}

Event ID 609

Provider: ESENT
Channel: Application
Level: Informational

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 609,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T19:25:31.000000Z",
    "event_record_id": 521,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {}
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 612

Provider: ESENT
Channel: Application
Level: Informational

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 612,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T19:25:31.000000Z",
    "event_record_id": 522,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {}
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 636

Provider: ESENT
Channel: Application
Level: Warning

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 636,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:07:16.391784+00:00",
    "event_record_id": 4243,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv.exe",
    "Data_1": "14016,P,98",
    "Data_2": "Restore0001: ",
    "Data_3": "C:\\Windows\\system32\\CertLog\\EvtGen-Root-CA.jfm",
    "Data_4": "ReadHdrFailed",
    "Binary": ""
  },
  "message": ""
}

Event ID 637

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 637,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:07:16.393005+00:00",
    "event_record_id": 4244,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv.exe",
    "Data_1": "14016,P,98",
    "Data_2": "Restore0001: ",
    "Data_3": "C:\\Windows\\system32\\CertLog\\EvtGen-Root-CA.jfm",
    "Binary": ""
  },
  "message": ""
}

Event ID 640

Provider: ESENT
Channel: Application
Level: Warning

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Data_5`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 640,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:07:16.370498+00:00",
    "event_record_id": 4240,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv.exe",
    "Data_1": "14016,P,98",
    "Data_2": "Restore0001: ",
    "Data_3": "-1919",
    "Data_4": "C:\\Windows\\system32\\CertLog\\EvtGen-Root-CA.jfm",
    "Data_5": "[SignDbHdrFromDb:Create time:03/13/2026 23:06:22.503 Rand:3655758382 Computer:] [SignFmHdrFromDb:Create time:03/13/2026 23:06:22.385 Rand:413456288 Computer:] [SignDbHdrFromFm:Create time:03/13/2026 23:06:22.931 Rand:2864051150 Computer:] [SignFmHdrFromFm:Create time:03/13/2026 23:06:22.945 Rand:3852748920 Computer:]",
    "Binary": ""
  },
  "message": ""
}

Event ID 700

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 700,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-02-28T22:56:52.420762+00:00",
    "event_record_id": 2450,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "DFSRs",
      "4004,D,0",
      "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: ",
      "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db"
    ],
    "Binary": ""
  },
  "message": ""
}

Event ID 701

Provider: ESENT
Channel: Application
Level: Informational

Fields #

Name	Description
`Data`
`Binary`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 701,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-02-28T22:56:52.420762+00:00",
    "event_record_id": 2451,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "DFSRs",
      "4004,D,0",
      "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: ",
      "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db",
      "0",
      "2/28/2026",
      "0",
      "1",
      "1",
      "5"
    ],
    "Binary": ""
  },
  "message": ""
}

Event ID 2005: certsrv (13200,G,0) Shadow copy instance 1 starting.

Provider: ESENT
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 2005,
    "version": 0,
    "level": 4,
    "task": 16,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-30T02:25:24.5358691+00:00",
    "event_record_id": 253625,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv",
    "Data_1": "13200,G,0",
    "Data_2": "",
    "Data_3": "1"
  },
  "message": "certsrv (13200,G,0) Shadow copy instance 1 starting. This will be a Full shadow copy."
}

Event ID 2006: certsrv (13200,G,0) Shadow copy instance 1 completed successfully.

Provider: ESENT
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 2006,
    "version": 0,
    "level": 4,
    "task": 16,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-30T02:25:27.7561355+00:00",
    "event_record_id": 253646,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv",
    "Data_1": "13200,G,0",
    "Data_2": "",
    "Data_3": "1"
  },
  "message": "certsrv (13200,G,0) Shadow copy instance 1 completed successfully."
}

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)