EventID 4624: An account was successfully logged on

This event indicates an account has successfuly authenticated to the endpoint. It is logged on the destination endpoint. In the context of authentication, this event is a Logon Event, meaning it is logged on the system that is being authenticated to.

Analysis Value

pageLogin HistorypageLogon IDpageSecurity IdentifierpageUsernamepageSource Identification

Operating System Availability

Major VersionSupportMajor VersionSupport

Windows 11

Server 2019

Windows 10

Server 2016

Windows 8

Server 2012

Windows 7

Server 2008

Windows Vista

Server 2003

⚠️

Windows XP

⚠️

In Windows XP and Windows Server 2003, the corresponding Event ID is 528.

Artifact Location(s)

  • %SystemRoot%\System32\Winevt\Logs\Security.evtx

Artifact Interpretation

FieldInterpretationReference

EventData/TargetUserSid

This field contains the SID of the account that authenticated.

Security Identifier

EventData/TargetLogonId

This field contains the Logon ID of the session that was authenticated. This field is of interest as it can be used to cross-reference other events found in the Windows Event Log and tie activity to a particular logon session.

Logon ID

EventData/TargetUserName

This field will contain the username associated with the authenticating account.

Username

EventData/IpAddress

This field will contain the source address for the session.

Source Identification

For local logons, such as the user signing into the system through native keyboard and mouse, the EventData/IpAddress will be 127.0.0.1 or a null value. Note that a local IP address in this field will also present itself should an authentication have taken place from a malicious implant such as a reverse tunnel.

Analysis Tips

Analysis of LogonType

The EventData/LogonType provides information regarding what type of logon occurred. The following LogonType values are available:

Logon TypeDescription

2

Interactive (user login on through screen or virtual console, see example Local/Physical User Logon)

3

Network (RDP with NLA enabled)

7

Unlock (RDP reconnects or interactive unlocking, see example Remote Desktop Logons)

9

Explicit credentials (See RunAs Activity)

10

Remote Interactive (RDP with NLA diasbled, also see example Remote Desktop Logons)

11

Cached (Cached credentials were used to authenticate instead of querying a domain controller)

Examples

Local/Physical User Logon

When a user authenticates physically to the system, the resulting LogonType will typically be 2, or in the event that cached credentials were used to authenticate the session, 11. If the user has unlocked the system, there will be a logon type 7 event.

For example, a physical logon would result in the following event being logged,

Note the values of the following fields:

FieldValue

EventData/LogonType

2

EventData/ProcessName

C:\Windows\System32\svchost.exe

EventData/IpAddress

127.0.0.1

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-   <EventData>
		<Data Name="SubjectUserSid">S-1-5-18</Data>
		<Data Name="SubjectUserName">HLPC01$</Data>
		<Data Name="SubjectDomainName">WORKGROUP</Data>
		<Data Name="SubjectLogonId">0x3e7</Data>
		<Data Name="TargetUserSid">S-1-5-21-3471133136-2963561160-3931775028-1001</Data>
		<Data Name="TargetUserName">user</Data>
		<Data Name="TargetDomainName">HLPC01</Data>
		<Data Name="TargetLogonId">0x34358d</Data>
		<Data Name="LogonType">2</Data>
		<Data Name="LogonProcessName">User32</Data>
		<Data Name="AuthenticationPackageName">Negotiate</Data>
		<Data Name="WorkstationName">HLPC01</Data>
		<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
		<Data Name="TransmittedServices">-</Data>
		<Data Name="LmPackageName">-</Data>
		<Data Name="KeyLength">0</Data>
		<Data Name="ProcessId">0x7e4</Data>
		<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
		<Data Name="IpAddress">127.0.0.1</Data>
		<Data Name="IpPort">0</Data>
		<Data Name="ImpersonationLevel">%%1833</Data>
		<Data Name="RestrictedAdminMode">-</Data>
		<Data Name="TargetOutboundUserName">-</Data>
		<Data Name="TargetOutboundDomainName">-</Data>
		<Data Name="VirtualAccount">%%1843</Data>
		<Data Name="TargetLinkedLogonId">0x3435b7</Data>
		<Data Name="ElevatedToken">%%1842</Data>
	</EventData>
</Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044

In situations when cached credentials were used to authenticate a session, the physical logon might look like this:

FieldValue

EventData/LogonType

11

EventData/ProcessName

C:\Windows\System32\svchost.exe

EventData/IpAddress

127.0.0.1

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-   <EventData>
		<Data Name="SubjectUserSid">S-1-5-18</Data>
		<Data Name="SubjectUserName">WKS10-01$</Data>
		<Data Name="SubjectDomainName">HLAB</Data>
		<Data Name="SubjectLogonId">0x3e7</Data>
		<Data Name="TargetUserSid">S-1-5-21-3829912423-625253200-3062624365-1107</Data>
		<Data Name="TargetUserName">ablaser</Data>
		<Data Name="TargetDomainName">HLAB</Data>
		<Data Name="TargetLogonId">0x4d742</Data>
		<Data Name="LogonType">11</Data>
		<Data Name="LogonProcessName">User32</Data>
		<Data Name="AuthenticationPackageName">Negotiate</Data>
		<Data Name="WorkstationName">WKS10-01</Data>
		<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
		<Data Name="TransmittedServices">-</Data>
		<Data Name="LmPackageName">-</Data>
		<Data Name="KeyLength">0</Data>
		<Data Name="ProcessId">0x6ec</Data>
		<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
		<Data Name="IpAddress">127.0.0.1</Data>
		<Data Name="IpPort">0</Data>
		<Data Name="ImpersonationLevel">%%1833</Data>
		<Data Name="RestrictedAdminMode">-</Data>
		<Data Name="TargetOutboundUserName">-</Data>
		<Data Name="TargetOutboundDomainName">-</Data>
		<Data Name="VirtualAccount">%%1843</Data>
		<Data Name="TargetLinkedLogonId">0x0</Data>
		<Data Name="ElevatedToken">%%1843</Data>
	</EventData>
</Event>

This example was produced on Windows 10 Pro, Version 10.0.19044 Build 19044

RunAs Activity

RunAs is a command-line utility used to execute programs with different permissions. Using RunAs to perform this action will also result in a type 2 logon. In the following example, take note of the EventData/SubjectUserName field, which indicated what user executed RunAs. The EventData/TargetUserName field contains the account name whose credentials were used. In addition, the EventData/SubjectLogonId is the same as the EventData/TargetLogonId in the previous example of cached credential authentication. This indicates that HLAB\ablaser authenticated to the system, and then used RunAs to run a command as HLAB\mvanburanadm.

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-   <EventData>
		<Data Name="SubjectUserSid">S-1-5-21-3829912423-625253200-3062624365-1107</Data>
		<Data Name="SubjectUserName">ablaser</Data>
		<Data Name="SubjectDomainName">HLAB</Data>
		<Data Name="SubjectLogonId">0x4d742</Data>
		<Data Name="TargetUserSid">S-1-5-21-3829912423-625253200-3062624365-1105</Data>
		<Data Name="TargetUserName">mvanburanadm</Data>
		<Data Name="TargetDomainName">HLAB</Data>
		<Data Name="TargetLogonId">0xc0cd5</Data>
		<Data Name="LogonType">2</Data>
		<Data Name="LogonProcessName">seclogo</Data>
		<Data Name="AuthenticationPackageName">Negotiate</Data>
		<Data Name="WorkstationName">WKS10-01</Data>
		<Data Name="LogonGuid">{22acd001-6c49-8d9e-8c4f-c1fd908d1c0e}</Data>
		<Data Name="TransmittedServices">-</Data>
		<Data Name="LmPackageName">-</Data>
		<Data Name="KeyLength">0</Data>
		<Data Name="ProcessId">0x2108</Data>
		<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
		<Data Name="IpAddress">::1</Data>
		<Data Name="IpPort">0</Data>
		<Data Name="ImpersonationLevel">%%1833</Data>
		<Data Name="RestrictedAdminMode">-</Data>
		<Data Name="TargetOutboundUserName">-</Data>
		<Data Name="TargetOutboundDomainName">-</Data>
		<Data Name="VirtualAccount">%%1843</Data>
		<Data Name="TargetLinkedLogonId">0xc0f24</Data>
		<Data Name="ElevatedToken">%%1842</Data>
	</EventData>
</Event>

This example was produced on Windows 10 Pro, Version 10.0.19044 Build 19044

Remote Desktop Logons

The appearance of Remote Desktop activity from this artifact depends on several factors:

  • For new RDP logons, a type 10 logon event is logged

  • For pre-existing logons, a type 7 logon event is logged

  • Assuming Network Level Authentication (NLA) is required on the system for RDP, there will be a type 3 logon event preceeding either the type 7 or type 10 event

For example, an RDP session from another system on the local network (172.16.200.2), with NLA enabled, and with a previous RDP session that was not formally logged out would create the following two events:

Type 3 Logon Event

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-   <EventData>
		<Data Name="SubjectUserSid">S-1-0-0</Data>
		<Data Name="SubjectUserName">-</Data>
		<Data Name="SubjectDomainName">-</Data>
		<Data Name="SubjectLogonId">0x0</Data>
		<Data Name="TargetUserSid">S-1-5-21-3829912423-625253200-3062624365-1105</Data>
		<Data Name="TargetUserName">mvanburanadm</Data>
		<Data Name="TargetDomainName">HLAB</Data>
		<Data Name="TargetLogonId">0x4f5277</Data>
		<Data Name="LogonType">3</Data>
		<Data Name="LogonProcessName">NtLmSsp</Data>
		<Data Name="AuthenticationPackageName">NTLM</Data>
		<Data Name="WorkstationName">HLNAS01-WS2K19</Data>
		<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
		<Data Name="TransmittedServices">-</Data>
		<Data Name="LmPackageName">NTLM V2</Data>
		<Data Name="KeyLength">128</Data>
		<Data Name="ProcessId">0x0</Data>
		<Data Name="ProcessName">-</Data>
		<Data Name="IpAddress">172.16.200.2</Data>
		<Data Name="IpPort">0</Data>
		<Data Name="ImpersonationLevel">%%1833</Data>
		<Data Name="RestrictedAdminMode">-</Data>
		<Data Name="TargetOutboundUserName">-</Data>
		<Data Name="TargetOutboundDomainName">-</Data>
		<Data Name="VirtualAccount">%%1843</Data>
		<Data Name="TargetLinkedLogonId">0x0</Data>
		<Data Name="ElevatedToken">%%1842</Data>
	</EventData>
</Event>

Type 7 Logon Event (Unlocked)

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <EventData>
		<Data Name="SubjectUserSid">S-1-5-18</Data>
		<Data Name="SubjectUserName">WKS10-01$</Data>
		<Data Name="SubjectDomainName">HLAB</Data>
		<Data Name="SubjectLogonId">0x3e7</Data>
		<Data Name="TargetUserSid">S-1-5-21-3829912423-625253200-3062624365-1105</Data>
		<Data Name="TargetUserName">mvanburanadm</Data>
		<Data Name="TargetDomainName">HLAB</Data>
		<Data Name="TargetLogonId">0x4fbf34</Data>
		<Data Name="LogonType">7</Data>
		<Data Name="LogonProcessName">User32</Data>
		<Data Name="AuthenticationPackageName">Negotiate</Data>
		<Data Name="WorkstationName">WKS10-01</Data>
		<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
		<Data Name="TransmittedServices">-</Data>
		<Data Name="LmPackageName">-</Data>
		<Data Name="KeyLength">0</Data>
		<Data Name="ProcessId">0x6ec</Data>
		<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
		<Data Name="IpAddress">172.16.200.2</Data>
		<Data Name="IpPort">0</Data>
		<Data Name="ImpersonationLevel">%%1833</Data>
		<Data Name="RestrictedAdminMode">-</Data>
		<Data Name="TargetOutboundUserName">-</Data>
		<Data Name="TargetOutboundDomainName">-</Data>
		<Data Name="VirtualAccount">%%1843</Data>
		<Data Name="TargetLinkedLogonId">0x4fbf85</Data>
		<Data Name="ElevatedToken">%%1842</Data>
	</EventData>
</Event>

This example was produced on Windows Server 2019 Standard, Version 10.0.17763 Build 17763

If there was not a previous and still active RDP connection, the Type 7 Logon event would have instead been logged as a Type 10 Logon event.

File Server Access

In the event that a remote system authenticates to a file server to access file shares, the resulting Logon event will be of Type 3, with the IP address of the authenticating system in the EventData\IpAddress field. This can be useful for auditing potential file access on network shares.

Last updated