🔍
Windows Forensic Handbook
  • 👋Welcome
  • Artifacts by Type
    • 🗄️Registry Artifacts
      • Amcache.hve
      • Background Activity Montitor
      • Image File Execution Options Registry Keys
      • System Resource Usage Monitor (SRUM)
      • Run/RunOnce Registry Keys
      • Tracing Registry Keys
      • Services Registry Keys
      • Select Registry Key
      • CurrentVersion Registry Key
      • ComputerName Registry Key
      • Interfaces Registry Key
      • NetworkCards Registry Key
      • TimeZoneInformation Registry Key
    • 📂Filesystem Artifacts
      • USN Journal
      • Prefetch
      • AutomaticDestinations Jumplists
      • Recycle Bin $I/$R Files
      • Task Scheduler Files
      • Windows Error Reporting Files (.WER)
      • System Resource Usage Monitor (SRUM)
    • 📅Event Log Artifacts
      • Task Scheduler Operational Log
      • TerminalServices-RDPClient
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
      • Security
        • EventID 4688: A new process has been created
        • EventID 4624: An account was successfully logged on
      • System
        • Event ID 7045: Service Installed
      • Microsoft Windows Windows Firewall With Advanced Security
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
      • TerminalServices-LocalSessionManager
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
      • TerminalServices-RemoteConnectionManager
        • EventID 1149: User Authentication Succeeded
      • Microsoft Windows Shell Core
        • EventID 9707: Command Execution Started
      • Microsoft-Windows-PowerShell
        • EventID 4104: PowerShell Script Block Logging
  • Artifacts by Activity
    • 🏃‍♂️Execution
      • Evidence of Execution
        • Prefetch
        • Amcache.hve
        • System Resource Usage Monitor (SRUM)
        • Background Activity Montitor
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • Windows Error Reporting Files (.WER)
        • Tracing Registry Keys
        • EventID 4688: A new process has been created
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
        • EventID 4104: PowerShell Script Block Logging
      • First Executed
        • Prefetch
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Tracing Registry Keys
        • Task Scheduler Operational Log
        • EventID 4104: PowerShell Script Block Logging
      • Last Executed
        • Prefetch
        • Background Activity Montitor
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Task Scheduler Operational Log
      • Command Line Options
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • EventID 4688: A new process has been created
        • EventID 9707: Command Execution Started
      • Execution Account
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • EventID 4688: A new process has been created
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
      • Parent and Child Information
        • EventID 4688: A new process has been created
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
        • EventID 4104: PowerShell Script Block Logging
      • Execution Timestamp
        • Task Scheduler Operational Log
        • EventID 9707: Command Execution Started
    • 🗒️File Activity
      • File Creation
        • USN Journal
      • File Deletion
        • USN Journal
        • Recycle Bin $I/$R Files
      • Last Modified
        • USN Journal
      • File Origin
      • File Size
        • USN Journal
        • Recycle Bin $I/$R Files
      • File Path
        • USN Journal
        • Prefetch
        • Amcache.hve
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • AutomaticDestinations Jumplists
        • Recycle Bin $I/$R Files
        • Image File Execution Options Registry Keys
        • Task Scheduler Files
        • Windows Error Reporting Files (.WER)
        • Run/RunOnce Registry Keys
        • Services Registry Keys
        • Task Scheduler Operational Log
        • Event ID 7045: Service Installed
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
      • File Hash
        • Amcache.hve
    • 👨‍🔧Account Activity
      • Account Creation Time
      • Group Membership
      • Last Login
      • Login History
        • EventID 4624: An account was successfully logged on
      • Logon ID
        • EventID 4624: An account was successfully logged on
        • EventID 4688: A new process has been created
      • Relative Identifier
      • Security Identifier
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • Recycle Bin $I/$R Files
        • EventID 4688: A new process has been created
        • EventID 4624: An account was successfully logged on
        • Event ID 7045: Service Installed
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
      • Username
        • EventID 4624: An account was successfully logged on
        • AutomaticDestinations Jumplists
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
    • 🌎Network Activity
      • Evidence of Network Activity
        • Tracing Registry Keys
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
      • Destination Identification
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
      • Source Identification
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • EventID 4624: An account was successfully logged on
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
      • Transmit Volume
        • System Resource Usage Monitor (SRUM)
      • Firewall Activity
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 4104: PowerShell Script Block Logging
      • Wireless Activity
    • 🔍Browser Activity
      • History
        • Firefox places.sqlite Database
      • Bookmarks
        • Firefox places.sqlite Database
      • Stored Passwords/Secrets
    • 🖥️System Enumeration
      • Select Registry Key
      • CurrentVersion Registry Key
      • ComputerName Registry Key
      • Interfaces Registry Key
      • NetworkCards Registry Key
      • TimeZoneInformation Registry Key
Powered by GitBook
On this page
  • Analysis Value
  • Operating System Availability
  • Artifact Location(s)
  • Artifact Interpretation
  • Analysis Tips
  • Examples
  • Local/Physical User Logon
  • RunAs Activity
  • Remote Desktop Logons
  • File Server Access
  1. Artifacts by Type
  2. Event Log Artifacts
  3. Security

EventID 4624: An account was successfully logged on

Last updated 1 year ago

This event indicates an account has successfuly authenticated to the endpoint. It is logged on the destination endpoint. In the context of authentication, this event is a Logon Event, meaning it is logged on the system that is being authenticated to.

Analysis Value

Operating System Availability

Major Version
Support
Major Version
Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

✅

Server 2008

✅

Windows Vista

✅

Server 2003

⚠️

Windows XP

⚠️

In Windows XP and Windows Server 2003, the corresponding Event ID is 528.

Artifact Location(s)

  • %SystemRoot%\System32\Winevt\Logs\Security.evtx

Artifact Interpretation

Field
Interpretation
Reference

EventData/TargetUserSid

This field contains the SID of the account that authenticated.

EventData/TargetLogonId

EventData/TargetUserName

This field will contain the username associated with the authenticating account.

EventData/IpAddress

This field will contain the source address for the session.

For local logons, such as the user signing into the system through native keyboard and mouse, the EventData/IpAddress will be 127.0.0.1 or a null value. Note that a local IP address in this field will also present itself should an authentication have taken place from a malicious implant such as a reverse tunnel.

Analysis Tips

Analysis of LogonType

The EventData/LogonType provides information regarding what type of logon occurred. The following LogonType values are available:

Logon Type
Description

2

3

Network (RDP with NLA enabled)

7

9

10

11

Cached (Cached credentials were used to authenticate instead of querying a domain controller)

Examples

Local/Physical User Logon

When a user authenticates physically to the system, the resulting LogonType will typically be 2, or in the event that cached credentials were used to authenticate the session, 11. If the user has unlocked the system, there will be a logon type 7 event.

For example, a physical logon would result in the following event being logged,

Note the values of the following fields:

Field
Value

EventData/LogonType

2

EventData/ProcessName

C:\Windows\System32\svchost.exe

EventData/IpAddress

127.0.0.1

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-   <EventData>
		<Data Name="SubjectUserSid">S-1-5-18</Data>
		<Data Name="SubjectUserName">HLPC01$</Data>
		<Data Name="SubjectDomainName">WORKGROUP</Data>
		<Data Name="SubjectLogonId">0x3e7</Data>
		<Data Name="TargetUserSid">S-1-5-21-3471133136-2963561160-3931775028-1001</Data>
		<Data Name="TargetUserName">user</Data>
		<Data Name="TargetDomainName">HLPC01</Data>
		<Data Name="TargetLogonId">0x34358d</Data>
		<Data Name="LogonType">2</Data>
		<Data Name="LogonProcessName">User32</Data>
		<Data Name="AuthenticationPackageName">Negotiate</Data>
		<Data Name="WorkstationName">HLPC01</Data>
		<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
		<Data Name="TransmittedServices">-</Data>
		<Data Name="LmPackageName">-</Data>
		<Data Name="KeyLength">0</Data>
		<Data Name="ProcessId">0x7e4</Data>
		<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
		<Data Name="IpAddress">127.0.0.1</Data>
		<Data Name="IpPort">0</Data>
		<Data Name="ImpersonationLevel">%%1833</Data>
		<Data Name="RestrictedAdminMode">-</Data>
		<Data Name="TargetOutboundUserName">-</Data>
		<Data Name="TargetOutboundDomainName">-</Data>
		<Data Name="VirtualAccount">%%1843</Data>
		<Data Name="TargetLinkedLogonId">0x3435b7</Data>
		<Data Name="ElevatedToken">%%1842</Data>
	</EventData>
</Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044

In situations when cached credentials were used to authenticate a session, the physical logon might look like this:

Field
Value

EventData/LogonType

11

EventData/ProcessName

C:\Windows\System32\svchost.exe

EventData/IpAddress

127.0.0.1

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-   <EventData>
		<Data Name="SubjectUserSid">S-1-5-18</Data>
		<Data Name="SubjectUserName">WKS10-01$</Data>
		<Data Name="SubjectDomainName">HLAB</Data>
		<Data Name="SubjectLogonId">0x3e7</Data>
		<Data Name="TargetUserSid">S-1-5-21-3829912423-625253200-3062624365-1107</Data>
		<Data Name="TargetUserName">ablaser</Data>
		<Data Name="TargetDomainName">HLAB</Data>
		<Data Name="TargetLogonId">0x4d742</Data>
		<Data Name="LogonType">11</Data>
		<Data Name="LogonProcessName">User32</Data>
		<Data Name="AuthenticationPackageName">Negotiate</Data>
		<Data Name="WorkstationName">WKS10-01</Data>
		<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
		<Data Name="TransmittedServices">-</Data>
		<Data Name="LmPackageName">-</Data>
		<Data Name="KeyLength">0</Data>
		<Data Name="ProcessId">0x6ec</Data>
		<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
		<Data Name="IpAddress">127.0.0.1</Data>
		<Data Name="IpPort">0</Data>
		<Data Name="ImpersonationLevel">%%1833</Data>
		<Data Name="RestrictedAdminMode">-</Data>
		<Data Name="TargetOutboundUserName">-</Data>
		<Data Name="TargetOutboundDomainName">-</Data>
		<Data Name="VirtualAccount">%%1843</Data>
		<Data Name="TargetLinkedLogonId">0x0</Data>
		<Data Name="ElevatedToken">%%1843</Data>
	</EventData>
</Event>

This example was produced on Windows 10 Pro, Version 10.0.19044 Build 19044

RunAs Activity

RunAs is a command-line utility used to execute programs with different permissions. Using RunAs to perform this action will also result in a type 2 logon. In the following example, take note of the EventData/SubjectUserName field, which indicated what user executed RunAs. The EventData/TargetUserName field contains the account name whose credentials were used. In addition, the EventData/SubjectLogonId is the same as the EventData/TargetLogonId in the previous example of cached credential authentication. This indicates that HLAB\ablaser authenticated to the system, and then used RunAs to run a command as HLAB\mvanburanadm.

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-   <EventData>
		<Data Name="SubjectUserSid">S-1-5-21-3829912423-625253200-3062624365-1107</Data>
		<Data Name="SubjectUserName">ablaser</Data>
		<Data Name="SubjectDomainName">HLAB</Data>
		<Data Name="SubjectLogonId">0x4d742</Data>
		<Data Name="TargetUserSid">S-1-5-21-3829912423-625253200-3062624365-1105</Data>
		<Data Name="TargetUserName">mvanburanadm</Data>
		<Data Name="TargetDomainName">HLAB</Data>
		<Data Name="TargetLogonId">0xc0cd5</Data>
		<Data Name="LogonType">2</Data>
		<Data Name="LogonProcessName">seclogo</Data>
		<Data Name="AuthenticationPackageName">Negotiate</Data>
		<Data Name="WorkstationName">WKS10-01</Data>
		<Data Name="LogonGuid">{22acd001-6c49-8d9e-8c4f-c1fd908d1c0e}</Data>
		<Data Name="TransmittedServices">-</Data>
		<Data Name="LmPackageName">-</Data>
		<Data Name="KeyLength">0</Data>
		<Data Name="ProcessId">0x2108</Data>
		<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
		<Data Name="IpAddress">::1</Data>
		<Data Name="IpPort">0</Data>
		<Data Name="ImpersonationLevel">%%1833</Data>
		<Data Name="RestrictedAdminMode">-</Data>
		<Data Name="TargetOutboundUserName">-</Data>
		<Data Name="TargetOutboundDomainName">-</Data>
		<Data Name="VirtualAccount">%%1843</Data>
		<Data Name="TargetLinkedLogonId">0xc0f24</Data>
		<Data Name="ElevatedToken">%%1842</Data>
	</EventData>
</Event>

This example was produced on Windows 10 Pro, Version 10.0.19044 Build 19044

Remote Desktop Logons

The appearance of Remote Desktop activity from this artifact depends on several factors:

  • For new RDP logons, a type 10 logon event is logged

  • For pre-existing logons, a type 7 logon event is logged

  • Assuming Network Level Authentication (NLA) is required on the system for RDP, there will be a type 3 logon event preceeding either the type 7 or type 10 event

For example, an RDP session from another system on the local network (172.16.200.2), with NLA enabled, and with a previous RDP session that was not formally logged out would create the following two events:

Type 3 Logon Event

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-   <EventData>
		<Data Name="SubjectUserSid">S-1-0-0</Data>
		<Data Name="SubjectUserName">-</Data>
		<Data Name="SubjectDomainName">-</Data>
		<Data Name="SubjectLogonId">0x0</Data>
		<Data Name="TargetUserSid">S-1-5-21-3829912423-625253200-3062624365-1105</Data>
		<Data Name="TargetUserName">mvanburanadm</Data>
		<Data Name="TargetDomainName">HLAB</Data>
		<Data Name="TargetLogonId">0x4f5277</Data>
		<Data Name="LogonType">3</Data>
		<Data Name="LogonProcessName">NtLmSsp</Data>
		<Data Name="AuthenticationPackageName">NTLM</Data>
		<Data Name="WorkstationName">HLNAS01-WS2K19</Data>
		<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
		<Data Name="TransmittedServices">-</Data>
		<Data Name="LmPackageName">NTLM V2</Data>
		<Data Name="KeyLength">128</Data>
		<Data Name="ProcessId">0x0</Data>
		<Data Name="ProcessName">-</Data>
		<Data Name="IpAddress">172.16.200.2</Data>
		<Data Name="IpPort">0</Data>
		<Data Name="ImpersonationLevel">%%1833</Data>
		<Data Name="RestrictedAdminMode">-</Data>
		<Data Name="TargetOutboundUserName">-</Data>
		<Data Name="TargetOutboundDomainName">-</Data>
		<Data Name="VirtualAccount">%%1843</Data>
		<Data Name="TargetLinkedLogonId">0x0</Data>
		<Data Name="ElevatedToken">%%1842</Data>
	</EventData>
</Event>

Type 7 Logon Event (Unlocked)

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <EventData>
		<Data Name="SubjectUserSid">S-1-5-18</Data>
		<Data Name="SubjectUserName">WKS10-01$</Data>
		<Data Name="SubjectDomainName">HLAB</Data>
		<Data Name="SubjectLogonId">0x3e7</Data>
		<Data Name="TargetUserSid">S-1-5-21-3829912423-625253200-3062624365-1105</Data>
		<Data Name="TargetUserName">mvanburanadm</Data>
		<Data Name="TargetDomainName">HLAB</Data>
		<Data Name="TargetLogonId">0x4fbf34</Data>
		<Data Name="LogonType">7</Data>
		<Data Name="LogonProcessName">User32</Data>
		<Data Name="AuthenticationPackageName">Negotiate</Data>
		<Data Name="WorkstationName">WKS10-01</Data>
		<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
		<Data Name="TransmittedServices">-</Data>
		<Data Name="LmPackageName">-</Data>
		<Data Name="KeyLength">0</Data>
		<Data Name="ProcessId">0x6ec</Data>
		<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
		<Data Name="IpAddress">172.16.200.2</Data>
		<Data Name="IpPort">0</Data>
		<Data Name="ImpersonationLevel">%%1833</Data>
		<Data Name="RestrictedAdminMode">-</Data>
		<Data Name="TargetOutboundUserName">-</Data>
		<Data Name="TargetOutboundDomainName">-</Data>
		<Data Name="VirtualAccount">%%1843</Data>
		<Data Name="TargetLinkedLogonId">0x4fbf85</Data>
		<Data Name="ElevatedToken">%%1842</Data>
	</EventData>
</Event>

This example was produced on Windows Server 2019 Standard, Version 10.0.17763 Build 17763

If there was not a previous and still active RDP connection, the Type 7 Logon event would have instead been logged as a Type 10 Logon event.

File Server Access

In the event that a remote system authenticates to a file server to access file shares, the resulting Logon event will be of Type 3, with the IP address of the authenticating system in the EventData\IpAddress field. This can be useful for auditing potential file access on network shares.

This field contains the of the session that was authenticated. This field is of interest as it can be used to cross-reference other events found in the Windows Event Log and tie activity to a particular logon session.

Interactive (user login on through screen or virtual console, see example )

Unlock (RDP reconnects or interactive unlocking, see example )

Explicit credentials (See )

Remote Interactive (RDP with NLA diasbled, also see example )

📅
Login History
Logon ID
Security Identifier
Username
Source Identification
Security Identifier
Logon ID
Logon ID
Username
Source Identification
Local/Physical User Logon
Remote Desktop Logons
RunAs Activity
Remote Desktop Logons