# EventID 4624: An account was successfully logged on This event indicates an account has successfuly authenticated to the endpoint. It is logged on the **destination** endpoint. In the context of authentication, this event is a **Logon Event**, meaning it is logged on the system that is being authenticated to. ### Analysis Value {% content-ref url="../../../artifacts-by-activity/account-activity/login-history" %} [login-history](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/login-history) {% endcontent-ref %} {% content-ref url="../../../artifacts-by-activity/account-activity/logon-id" %} [logon-id](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/logon-id) {% endcontent-ref %} {% content-ref url="../../../artifacts-by-activity/account-activity/security-identifier" %} [security-identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) {% endcontent-ref %} {% content-ref url="../../../artifacts-by-activity/account-activity/username" %} [username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username) {% endcontent-ref %} {% content-ref url="../../../artifacts-by-activity/network-activity/source-identification" %} [source-identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification) {% endcontent-ref %} ### Operating System Availability | Major Version | Support | Major Version | Support | | ------------- | ------- | ------------- | ------- | | Windows 11 | ✅ | Server 2019 | ✅ | | Windows 10 | ✅ | Server 2016 | ✅ | | Windows 8 | ✅ | Server 2012 | ✅ | | Windows 7 | ✅ | Server 2008 | ✅ | | Windows Vista | ✅ | Server 2003 | ⚠️ | | Windows XP | ⚠️ | | | {% hint style="warning" %} In Windows XP and Windows Server 2003, the corresponding Event ID is `528`. {% endhint %} ### Artifact Location(s) * `%SystemRoot%\System32\Winevt\Logs\Security.evtx` ### Artifact Interpretation | Field | Interpretation | Reference | | -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | `EventData/TargetUserSid` | This field contains the SID of the account that authenticated. | [security-identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier "mention") | | `EventData/TargetLogonId` | This field contains the [logon-id](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/logon-id "mention") of the session that was authenticated. This field is of interest as it can be used to cross-reference other events found in the Windows Event Log and tie activity to a particular logon session. | [logon-id](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/logon-id "mention") | | `EventData/TargetUserName` | This field will contain the username associated with the authenticating account. | [username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username "mention") | | `EventData/IpAddress` | This field will contain the **source** address for the session. | [source-identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification "mention") | {% hint style="info" %} For local logons, such as the user signing into the system through native keyboard and mouse, the `EventData/IpAddress` will be `127.0.0.1` or a null value. Note that a local IP address in this field will also present itself should an authentication have taken place from a malicious implant such as a reverse tunnel. {% endhint %} ### Analysis Tips #### Analysis of LogonType The `EventData/LogonType` provides information regarding what type of logon occurred. The following `LogonType` values are available:
Logon TypeDescription
2Interactive (user login on through screen or virtual console, see example #local-physical-user-logon)
3Network (RDP with NLA enabled)
7Unlock (RDP reconnects or interactive unlocking, see example #remote-desktop-logons)
9Explicit credentials (See #runas-activity)
10Remote Interactive (RDP with NLA diasbled, also see example #remote-desktop-logons)
11Cached (Cached credentials were used to authenticate instead of querying a domain controller)
## Examples ### Local/Physical User Logon When a user authenticates physically to the system, the resulting `LogonType` will typically be 2, or in the event that cached credentials were used to authenticate the session, 11. If the user has unlocked the system, there will be a logon type 7 event. For example, a physical logon would result in the following event being logged, Note the values of the following fields: | Field | Value | | --------------------- | ------------------------------- | | EventData/LogonType | 2 | | EventData/ProcessName | C:\Windows\System32\svchost.exe | | EventData/IpAddress | 127.0.0.1 | ``` - - S-1-5-18 HLPC01$ WORKGROUP 0x3e7 S-1-5-21-3471133136-2963561160-3931775028-1001 user HLPC01 0x34358d 2 User32 Negotiate HLPC01 {00000000-0000-0000-0000-000000000000} - - 0 0x7e4 C:\Windows\System32\svchost.exe 127.0.0.1 0 %%1833 - - - %%1843 0x3435b7 %%1842 ``` This example was produced on Windows 10, Version 10.0.19044 Build 19044 In situations when cached credentials were used to authenticate a session, the physical logon might look like this: | Field | Value | | --------------------- | ------------------------------- | | EventData/LogonType | 11 | | EventData/ProcessName | C:\Windows\System32\svchost.exe | | EventData/IpAddress | 127.0.0.1 | ``` - - S-1-5-18 WKS10-01$ HLAB 0x3e7 S-1-5-21-3829912423-625253200-3062624365-1107 ablaser HLAB 0x4d742 11 User32 Negotiate WKS10-01 {00000000-0000-0000-0000-000000000000} - - 0 0x6ec C:\Windows\System32\svchost.exe 127.0.0.1 0 %%1833 - - - %%1843 0x0 %%1843 ``` This example was produced on Windows 10 Pro, Version 10.0.19044 Build 19044 ### RunAs Activity `RunAs` is a command-line utility used to execute programs with different permissions. Using `RunAs` to perform this action will also result in a type 2 logon. In the following example, take note of the `EventData/SubjectUserName` field, which indicated what user executed `RunAs`. The `EventData/TargetUserName` field contains the account name whose credentials were used. In addition, the `EventData/SubjectLogonId` is the same as the `EventData/TargetLogonId` in the previous example of cached credential authentication. This indicates that `HLAB\ablaser` authenticated to the system, and then used `RunAs` to run a command as `HLAB\mvanburanadm`. ``` - - S-1-5-21-3829912423-625253200-3062624365-1107 ablaser HLAB 0x4d742 S-1-5-21-3829912423-625253200-3062624365-1105 mvanburanadm HLAB 0xc0cd5 2 seclogo Negotiate WKS10-01 {22acd001-6c49-8d9e-8c4f-c1fd908d1c0e} - - 0 0x2108 C:\Windows\System32\svchost.exe ::1 0 %%1833 - - - %%1843 0xc0f24 %%1842 ``` This example was produced on Windows 10 Pro, Version 10.0.19044 Build 19044 ### Remote Desktop Logons The appearance of Remote Desktop activity from this artifact depends on several factors: * For new RDP logons, a type 10 logon event is logged * For pre-existing logons, a type 7 logon event is logged * Assuming Network Level Authentication (NLA) is required on the system for RDP, there will be a type 3 logon event preceeding either the type 7 or type 10 event For example, an RDP session from another system on the local network (172.16.200.2), with NLA enabled, and with a previous RDP session that was not formally logged out would create the following two events: Type 3 Logon Event ``` - - S-1-0-0 - - 0x0 S-1-5-21-3829912423-625253200-3062624365-1105 mvanburanadm HLAB 0x4f5277 3 NtLmSsp NTLM HLNAS01-WS2K19 {00000000-0000-0000-0000-000000000000} - NTLM V2 128 0x0 - 172.16.200.2 0 %%1833 - - - %%1843 0x0 %%1842 ``` Type 7 Logon Event (Unlocked) ``` - - S-1-5-18 WKS10-01$ HLAB 0x3e7 S-1-5-21-3829912423-625253200-3062624365-1105 mvanburanadm HLAB 0x4fbf34 7 User32 Negotiate WKS10-01 {00000000-0000-0000-0000-000000000000} - - 0 0x6ec C:\Windows\System32\svchost.exe 172.16.200.2 0 %%1833 - - - %%1843 0x4fbf85 %%1842 ``` This example was produced on Windows Server 2019 Standard, Version 10.0.17763 Build 17763 If there was not a previous and still active RDP connection, the Type 7 Logon event would have instead been logged as a Type 10 Logon event. ### File Server Access In the event that a remote system authenticates to a file server to access file shares, the resulting Logon event will be of Type 3, with the IP address of the authenticating system in the `EventData\IpAddress` field. This can be useful for auditing potential file access on network shares.