Shown below is a windows log event id 4624. The log seems to convey that the machine account server2$ is trying to interactively log in as UMFD-3 interactively.
From my research, UMFD is a system account generated by the User Mode Driver Framework component according to this article. This can also be confirmed with the Target User Sid in the JSON.
Is it normal for the machine account server2$ to log in interactively with the user UMFD-3? In what situations is this considered normal behavior?
{
"TimeCreated":"2023-10-18T20:02:16.591442200Z",
"EventID":"4624",
"Task":12544,
"Correlation":{
"ActivityID":"{6a8486ef-9f7c-4654-a68c-2320d44b3d9d}"
},
"Keywords":"Audit Success",
"Channel":"Security",
"Opcode":"Info",
"Security":"",
"Provider":{
"Guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}",
"Name":"Microsoft-Windows-Security-Auditing"
},
"EventRecordID":685468077,
"Execution":{
"ThreadID":820,
"ProcessID":700
},
"Version":2,
"Computer":"server2.contoso.com",
"Level":"Information",
"EventData":{
"WorkstationName":"-",
"TargetDomainName":"Font Driver Host",
"VirtualAccount":"%%1842",
"SubjectUserSid":"S-1-5-18",
"TargetOutboundDomainName":"-",
"LogonProcessName":"Advapi",
"TargetLinkedLogonId":"0x532a6083",
"ImpersonationLevel":"%%1833",
"TargetUserName":"UMFD-3",
"TargetUserSid":"S-1-5-96-0-3",
"IpAddress":"-",
"ProcessId":"0x8f4",
"KeyLength":"0",
"ProcessName":"C:\\Windows\\System32\\winlogon.exe",
"SubjectUserName":"server2$",
"LogonType":"2",
"TargetOutboundUserName":"-",
"TransmittedServices":"-",
"LogonGuid":"{00000000-0000-0000-0000-000000000000}",
"SubjectLogonId":"0x3e7",
"ElevatedToken":"%%1843",
"RestrictedAdminMode":"-",
"TargetLogonId":"0x532a616b",
"IpPort":"-",
"AuthenticationPackageName":"Negotiate",
"LmPackageName":"-",
"SubjectDomainName":"contoso"
},
"Message":"An account was successfully logged on."
}
