Microsoft windows security 5379

5379: Credential Manager credentials were read

On this page

• Description of this event
• Field level details
• Examples

This is event is new in Windows Server 2019.  This event occurs when a user performs a read operation on stored credentials in Credential Manager.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in
5379

Subject:

The user and logon session that performed the action.

• Security ID:  The SID of the account.
• Account Name: The account logon name.
• Account Domain: The domain or — in the case of local accounts — computer name.
• Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
• Read Operation: 

Supercharger Free Edition

Картинка с сайта: www.ultimatewindowssecurity.com

Your entire Windows Event Collection environment on a single pane of glass.

Free.

Картинка с сайта: www.socinvestigation.com

Attacks by malware are continuously growing. These malicious files use high-obfuscation algorithms to hide from traditional anti-malware detection solutions, and unfortunately, the threat actors are becoming more and more successful. 

One technique that has seen a positive track record for evading detection is when a malicious document is password-protected, and the password is given in the email body, making it easy to trick unsuspecting users into opening the malicious file.

Password protection makes it harder for traditional detection solutions to scan the attachment for malicious code.

Also Read: Most Common Windows Event IDs to Hunt – Mind Map

Example of the Malware Attack

The employee receives an email that appears to be from a trusted and well-known sender, or a common brand, with a catchy subject (ex. ‘Invoice’, ‘Payment verification’, etc). The email contains an attached file that is zipped and password-protected by the attacker, and they’ll also include a full name (e.g. Tenesha Mitchell) to make it seem human. The password creates the illusion the attachment must contain confidential personal information that had to be secured.

When an employee receives the compromised email with the password-protected file and the required password to access the file, it raised no suspicions.

Also Read: Threat Hunting Using Windows Security Log

Attack Detection with Windows Event Logs

Example 1: Attack Detection Case

This event occurs when a user performs a read operation on stored credentials in Credential Manager. Example: Users open up ZIP files which are password-protected files with valid credentials.

Картинка с сайта: www.socinvestigation.com

The above figure illustrates User has opened the test (2).zip file. SBousseaden says opening a password-protected zip file using Windows Explorer generates a credman event 5379 with Target “Microsoft_Windows_Shell_ZipFolder:filename=zip_fil_path”.

Also Read: Malware Hiding Techniques in Windows Operating System

This can be correlated when malware is executed with windows legitimate processes ( Explorer.exe ) on specific file paths. Similar cases are also observed when users download, cracks/keygens to enable the full features of legitimate software. But ending up with system/network infections.

Картинка с сайта: www.socinvestigation.com

The above query shows that malware spread has been successfully detected using the event ID 5379.

Example 2: False Positive Case

Some people may experience Event ID 5379 flooding. It is good to review their user accounts/programs that are connected with the credential manager.

Картинка с сайта: www.socinvestigation.com

Assume Windows admin has disabled a user in my Active Directory (terminated the account). However, still getting the log that Event IDs 5379 (credential manager credentials were read.), 4673 (a privileged service was called.), 4656 (a handle to an object was requested.)

And the processes called are:

gfxdownloadwrapper.exe  4673
lsbupdater.exe  4673
cleanmgr.exe    4673
quickup.exe 4673
searchui.exe    4673

Disabling an account in AD doesn’t mean an account cannot log on to an endpoint due to cached credentials. The account may not have been disabled/removed from the machine in question, so some scheduled tasks associated with the account are still being executed on the machine (e.g. search indexing, disk cleanup, etc).

Considering the above scenario we can mark it as false-positive.

EQL Detection Query:

sequence by host.id with maxspan=1m
[any where event.code : "5379" and winlog.event_data.TargetName : "Microsoft_Windows_Shell_ZipFolder*"]
 [process where event.action == "start" and process.executable : "?:\\Users\\*\\Appdata\\Local\\Temp\\Temp?_*" and process.parent.name : "explorer.exe"]

Also Read: How to Detect Privilege Escalation Attacks and UAC Bypass on Windows

Other SIEM Products:

SOC analyst/ SOC Engineers use the below logic to create effective rules on their SIEMS to track Windows Event ID 5379 with malicious behaviors.

Correlate event ID 5379 with Target name "Microsoft_Windows_Shell_ZipFolder*" and process executable paths "?:\\Users\\*\\Appdata\\Local\\Temp\\Temp?_*" and parent process "explorer.exe" and process action is start.

Happy Hunting!

References:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5379

securityboulevard.com

https://serverfault.com/questions/1092543/a-user-activity-is-detected-from-a-disabled-account-in-active-directory

Readers help support Windows Report. We may get a commission if you buy through our links.

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Have you noticed an event ID 5379 popup in the event viewer at the same time as your mouse disconnects? If you have, you are probably wondering what the solution is.

In this article, we have investigated the problem, and we introduce probable triggers as well as the most practical solutions.

Why does my mouse disconnect with the event ID 5379 notification?

The following are the possible causes of this disconnecting mouse issue:

• Faulty or incompatible mouse driver – It’s possible that the mouse driver installed on your computer is either outdated, corrupted, or incompatible with your operating system.
• USB power management – Sometimes, when the system goes into power-saving mode, it might disable the USB ports, which can cause the mouse to disconnect.
• Wireless interference – If you use a wireless mouse, the connection may be affected by other devices or wireless signals in the surrounding area.
• Hardware or mouse defect – Sometimes, a faulty or malfunctioning mouse can cause frequent disconnections. It’s important to consider hardware issues as a potential factor.

How do I fix event ID 5379 caused by a disconnected mouse?

Before going into any detailed solution, try the following workarounds:

• Check for hardware damage – You may try the mouse on a different computer and replace your mouse if it is damaged.
• Restart the computer – In some cases, the glitch may be minor, and a simple reboot will force any problematic process causing the error to stop.
• Stay within range – If you use a wireless mouse, ensure you are within range to avoid disconnection.
• Check USB connections – Ensure the cables or USB ports are not damaged; you may clean them to remove particles.

If none of the pre-solutions work, proceed to the major fixes we explore below.

1. Update mouse drivers

1. Right-click the Start menu and select Device Manager.
   

   Картинка с сайта: windowsreport.com

2. Expand the Mice and other pointing devices category, right-click on your mouse, and click Update driver.
   

   Картинка с сайта: windowsreport.com

3. Select Search automatically for drivers.
   

   Картинка с сайта: windowsreport.com

4. Verify it fixes the mouse disconnection causing the event ID 5379.

2. Restore the computer

1. Press Windows + R to open the Run dialog.
2. Type rstrui, and hit Enter.
3. Click the Next button.
   

   Картинка с сайта: windowsreport.com

4. Select a restore point and hit Next.
   

   Картинка с сайта: windowsreport.com

5. Click on Finish.
   

   Картинка с сайта: windowsreport.com

6. The computer would restart in the process, but at the end, verify that it fixes the mouse disconnection that triggers event id 5379.

3. Adjust the Power Management settings

1. Right-click the Start menu and select Device Manager.
   

   Картинка с сайта: windowsreport.com

2. Expand the Universal Serial Bus controllers category.
   

   Картинка с сайта: windowsreport.com

3. Right-click on each USB Root Hub and select Properties.
   

   Картинка с сайта: windowsreport.com

4. In the Properties window, go to the Power Management tab, then uncheck the box that says Allow the computer to turn off this device to save power.
   

   Картинка с сайта: windowsreport.com

5. Click OK, and now, repeat these steps for all USB Root Hubs listed.
6. Finally, restart your computer and check if the mouse disconnection issue persists.

There you have it. Note that we have not discussed these fixes in any particular order, so after the initial workarounds, you should try whatever seems the most applicable to your situation.

You may also want to read more on mouse disconnection issues if you need further troubleshooting.

Please let us know what worked for you in the comments section below.

Afam is a geek and the go-to among his peers for computer solutions. He has a wealth of experience with Windows operating systems, dating back to his introduction to Windows 98. He is passionate about technology amongst many other fields. Aside from putting pen to paper, he is a passionate soccer lover, a dog breeder, and enjoys playing the guitar and piano.