EventID 4624: An account was successfully logged on
Last updated
This event indicates an account has successfuly authenticated to the endpoint. It is logged on the destination endpoint. In the context of authentication, this event is a Logon Event, meaning it is logged on the system that is being authenticated to.
Analysis Value
Operating System Availability
Major Version
Support
Major Version
Support
Windows 11
✅
Server 2019
✅
Windows 10
✅
Server 2016
✅
Windows 8
✅
Server 2012
✅
Windows 7
✅
Server 2008
✅
Windows Vista
✅
Server 2003
⚠️
Windows XP
⚠️
In Windows XP and Windows Server 2003, the corresponding Event ID is 528.
Artifact Location(s)
%SystemRoot%\System32\Winevt\Logs\Security.evtx
Artifact Interpretation
Field
Interpretation
Reference
EventData/TargetUserSid
This field contains the SID of the account that authenticated.
EventData/TargetLogonId
EventData/TargetUserName
This field will contain the username associated with the authenticating account.
EventData/IpAddress
This field will contain the source address for the session.
For local logons, such as the user signing into the system through native keyboard and mouse, the EventData/IpAddress will be 127.0.0.1 or a null value. Note that a local IP address in this field will also present itself should an authentication have taken place from a malicious implant such as a reverse tunnel.
Analysis Tips
Analysis of LogonType
The EventData/LogonType provides information regarding what type of logon occurred. The following LogonType values are available:
Logon Type
Description
2
3
Network (RDP with NLA enabled)
7
9
10
11
Cached (Cached credentials were used to authenticate instead of querying a domain controller)
Examples
Local/Physical User Logon
When a user authenticates physically to the system, the resulting LogonType will typically be 2, or in the event that cached credentials were used to authenticate the session, 11. If the user has unlocked the system, there will be a logon type 7 event.
For example, a physical logon would result in the following event being logged,
This example was produced on Windows 10 Pro, Version 10.0.19044 Build 19044
RunAs Activity
RunAs is a command-line utility used to execute programs with different permissions. Using RunAs to perform this action will also result in a type 2 logon. In the following example, take note of the EventData/SubjectUserName field, which indicated what user executed RunAs. The EventData/TargetUserName field contains the account name whose credentials were used. In addition, the EventData/SubjectLogonId is the same as the EventData/TargetLogonId in the previous example of cached credential authentication. This indicates that HLAB\ablaser authenticated to the system, and then used RunAs to run a command as HLAB\mvanburanadm.
This example was produced on Windows 10 Pro, Version 10.0.19044 Build 19044
Remote Desktop Logons
The appearance of Remote Desktop activity from this artifact depends on several factors:
For new RDP logons, a type 10 logon event is logged
For pre-existing logons, a type 7 logon event is logged
Assuming Network Level Authentication (NLA) is required on the system for RDP, there will be a type 3 logon event preceeding either the type 7 or type 10 event
For example, an RDP session from another system on the local network (172.16.200.2), with NLA enabled, and with a previous RDP session that was not formally logged out would create the following two events:
This example was produced on Windows Server 2019 Standard, Version 10.0.17763 Build 17763
If there was not a previous and still active RDP connection, the Type 7 Logon event would have instead been logged as a Type 10 Logon event.
File Server Access
In the event that a remote system authenticates to a file server to access file shares, the resulting Logon event will be of Type 3, with the IP address of the authenticating system in the EventData\IpAddress field. This can be useful for auditing potential file access on network shares.
This field contains the of the session that was authenticated. This field is of interest as it can be used to cross-reference other events found in the Windows Event Log and tie activity to a particular logon session.
Interactive (user login on through screen or virtual console, see example )
Unlock (RDP reconnects or interactive unlocking, see example )
Explicit credentials (See )
Remote Interactive (RDP with NLA diasbled, also see example )