# EventID 4624: An account was successfully logged on This event indicates an account has successfuly authenticated to the endpoint. It is logged on the **destination** endpoint. In the context of authentication, this event is a **Logon Event**, meaning it is logged on the system that is being authenticated to. ### Analysis Value {% content-ref url="/pages/Zo5HzeeY0PwwSEjtwJ2Z" %} [Login History](/windows-forensics/artifacts-by-activity/account-activity/login-history.md) {% endcontent-ref %} {% content-ref url="/pages/xrUgKsmrRTjjCfRttgUo" %} [Logon ID](/windows-forensics/artifacts-by-activity/account-activity/logon-id.md) {% endcontent-ref %} {% content-ref url="/pages/LRJZQZsAd12i4mDfGwuK" %} [Security Identifier](/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md) {% endcontent-ref %} {% content-ref url="/pages/xb2jtwMPGcVKWaKDBigr" %} [Username](/windows-forensics/artifacts-by-activity/account-activity/username.md) {% endcontent-ref %} {% content-ref url="/pages/T5a0mfe6TprUne1T4K7M" %} [Source Identification](/windows-forensics/artifacts-by-activity/network-activity/source-identification.md) {% endcontent-ref %} ### Operating System Availability | Major Version | Support | Major Version | Support | | ------------- | ------- | ------------- | ------- | | Windows 11 | ✅ | Server 2019 | ✅ | | Windows 10 | ✅ | Server 2016 | ✅ | | Windows 8 | ✅ | Server 2012 | ✅ | | Windows 7 | ✅ | Server 2008 | ✅ | | Windows Vista | ✅ | Server 2003 | ⚠️ | | Windows XP | ⚠️ | | | {% hint style="warning" %} In Windows XP and Windows Server 2003, the corresponding Event ID is `528`. {% endhint %} ### Artifact Location(s) * `%SystemRoot%\System32\Winevt\Logs\Security.evtx` ### Artifact Interpretation | Field | Interpretation | Reference | | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | | `EventData/TargetUserSid` | This field contains the SID of the account that authenticated. | [Security Identifier](/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md) | | `EventData/TargetLogonId` | This field contains the [Logon ID](/windows-forensics/artifacts-by-activity/account-activity/logon-id.md) of the session that was authenticated. This field is of interest as it can be used to cross-reference other events found in the Windows Event Log and tie activity to a particular logon session. | [Logon ID](/windows-forensics/artifacts-by-activity/account-activity/logon-id.md) | | `EventData/TargetUserName` | This field will contain the username associated with the authenticating account. | [Username](/windows-forensics/artifacts-by-activity/account-activity/username.md) | | `EventData/IpAddress` | This field will contain the **source** address for the session. | [Source Identification](/windows-forensics/artifacts-by-activity/network-activity/source-identification.md) | {% hint style="info" %} For local logons, such as the user signing into the system through native keyboard and mouse, the `EventData/IpAddress` will be `127.0.0.1` or a null value. Note that a local IP address in this field will also present itself should an authentication have taken place from a malicious implant such as a reverse tunnel. {% endhint %} ### Analysis Tips #### Analysis of LogonType The `EventData/LogonType` provides information regarding what type of logon occurred. The following `LogonType` values are available:
Logon TypeDescription
2Interactive (user login on through screen or virtual console, see example #local-physical-user-logon)
3Network (RDP with NLA enabled)
7Unlock (RDP reconnects or interactive unlocking, see example #remote-desktop-logons)
9Explicit credentials (See #runas-activity)
10Remote Interactive (RDP with NLA diasbled, also see example #remote-desktop-logons)
11Cached (Cached credentials were used to authenticate instead of querying a domain controller)
## Examples ### Local/Physical User Logon When a user authenticates physically to the system, the resulting `LogonType` will typically be 2, or in the event that cached credentials were used to authenticate the session, 11. If the user has unlocked the system, there will be a logon type 7 event. For example, a physical logon would result in the following event being logged, Note the values of the following fields: | Field | Value | | --------------------- | ------------------------------- | | EventData/LogonType | 2 | | EventData/ProcessName | C:\Windows\System32\svchost.exe | | EventData/IpAddress | 127.0.0.1 | ``` - - S-1-5-18 HLPC01$ WORKGROUP 0x3e7 S-1-5-21-3471133136-2963561160-3931775028-1001 user HLPC01 0x34358d 2 User32 Negotiate HLPC01 {00000000-0000-0000-0000-000000000000} - - 0 0x7e4 C:\Windows\System32\svchost.exe 127.0.0.1 0 %%1833 - - - %%1843 0x3435b7 %%1842 ``` This example was produced on Windows 10, Version 10.0.19044 Build 19044 In situations when cached credentials were used to authenticate a session, the physical logon might look like this: | Field | Value | | --------------------- | ------------------------------- | | EventData/LogonType | 11 | | EventData/ProcessName | C:\Windows\System32\svchost.exe | | EventData/IpAddress | 127.0.0.1 | ``` - - S-1-5-18 WKS10-01$ HLAB 0x3e7 S-1-5-21-3829912423-625253200-3062624365-1107 ablaser HLAB 0x4d742 11 User32 Negotiate WKS10-01 {00000000-0000-0000-0000-000000000000} - - 0 0x6ec C:\Windows\System32\svchost.exe 127.0.0.1 0 %%1833 - - - %%1843 0x0 %%1843 ``` This example was produced on Windows 10 Pro, Version 10.0.19044 Build 19044 ### RunAs Activity `RunAs` is a command-line utility used to execute programs with different permissions. Using `RunAs` to perform this action will also result in a type 2 logon. In the following example, take note of the `EventData/SubjectUserName` field, which indicated what user executed `RunAs`. The `EventData/TargetUserName` field contains the account name whose credentials were used. In addition, the `EventData/SubjectLogonId` is the same as the `EventData/TargetLogonId` in the previous example of cached credential authentication. This indicates that `HLAB\ablaser` authenticated to the system, and then used `RunAs` to run a command as `HLAB\mvanburanadm`. ``` - - S-1-5-21-3829912423-625253200-3062624365-1107 ablaser HLAB 0x4d742 S-1-5-21-3829912423-625253200-3062624365-1105 mvanburanadm HLAB 0xc0cd5 2 seclogo Negotiate WKS10-01 {22acd001-6c49-8d9e-8c4f-c1fd908d1c0e} - - 0 0x2108 C:\Windows\System32\svchost.exe ::1 0 %%1833 - - - %%1843 0xc0f24 %%1842 ``` This example was produced on Windows 10 Pro, Version 10.0.19044 Build 19044 ### Remote Desktop Logons The appearance of Remote Desktop activity from this artifact depends on several factors: * For new RDP logons, a type 10 logon event is logged * For pre-existing logons, a type 7 logon event is logged * Assuming Network Level Authentication (NLA) is required on the system for RDP, there will be a type 3 logon event preceeding either the type 7 or type 10 event For example, an RDP session from another system on the local network (172.16.200.2), with NLA enabled, and with a previous RDP session that was not formally logged out would create the following two events: Type 3 Logon Event ``` - - S-1-0-0 - - 0x0 S-1-5-21-3829912423-625253200-3062624365-1105 mvanburanadm HLAB 0x4f5277 3 NtLmSsp NTLM HLNAS01-WS2K19 {00000000-0000-0000-0000-000000000000} - NTLM V2 128 0x0 - 172.16.200.2 0 %%1833 - - - %%1843 0x0 %%1842 ``` Type 7 Logon Event (Unlocked) ``` - - S-1-5-18 WKS10-01$ HLAB 0x3e7 S-1-5-21-3829912423-625253200-3062624365-1105 mvanburanadm HLAB 0x4fbf34 7 User32 Negotiate WKS10-01 {00000000-0000-0000-0000-000000000000} - - 0 0x6ec C:\Windows\System32\svchost.exe 172.16.200.2 0 %%1833 - - - %%1843 0x4fbf85 %%1842 ``` This example was produced on Windows Server 2019 Standard, Version 10.0.17763 Build 17763 If there was not a previous and still active RDP connection, the Type 7 Logon event would have instead been logged as a Type 10 Logon event. ### File Server Access In the event that a remote system authenticates to a file server to access file shares, the resulting Logon event will be of Type 3, with the IP address of the authenticating system in the `EventData\IpAddress` field. This can be useful for auditing potential file access on network shares. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.