Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Answered

Lots of PDQ activity in Security event logs

Hey guys, my supervisor is wanting to know what's all the activity PDQ is showing in user computers event logs. Under the security logs there are lots of "Logon" and "Logoff" events happening tied to PDQ. I'll post a few below. 

Event ID: 4634

An account was logged off.

Subject:
Security ID: Hidden\PDQ$
Account Name: PDQ$
Account Domain: Hidden
Logon ID: 0x23E39C6

Logon Type: 3

 

Event ID 4624

An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No

Impersonation Level: Impersonation

New Logon:
Security ID: Hidden\PDQ$
Account Name: PDQ$
Account Domain: Hidden.CORP
Logon ID: 0x23E3B67
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -

 

2

Comments

2 comments
Date Votes
  • Lee,

    It looks like you are using a managed service account. Passwords for MSAs are stored in active directory and the server has to retrieve the password from AD in order to authenticate the account. This process is going to generate lots of logs like this no matter what you do, it is inevitable.

    I would say that it is not a cause for concern, these are literally just logs of your PDQ managed service account authenticating to active directory. Frankly if these logs didn't exist there would be a problem since your PDQ would be broken.

    What exactly are you/your supervisor concerned about? Are these logs filling up your SIEM solution or something like that?

    1
  • Luke, I appreciate the answer. My supervisor just didn't understand why there were so many of them and what they meant. I will pass along your answer and i'm sure that will satisfy him :) 

     

    Thanks again bud.

    1