Channel: Security.
Events: 4624, 4625, 4672, 4634, 4647, 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378.
Channel: Microsoft-Windows-SMBServer/Security.
Event: 551.
Events: 4624, 4625, 4672, 4634, 4647, 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378.
Channel: Microsoft-Windows-SMBServer/Security.
Event: 551.
Overview
| Channel | Conditions | Events |
|---|---|---|
Security |
Default configuration. | Event 4624: An account was successfully logged on. Legacy: Events 528: Successful Logon and 540: Successful Network Logon. |
Security |
Default configuration. | Event 4625: An account failed to log on. Legacy: Events 529, 530, 531, 532, 533, 534, 535, 536, 537, and 539. |
Security |
Default configuration. Only logged on for logon with elevated privileges. |
Event 4672: Special privileges assigned to new logon. Legacy: Events 576: Special privileges assigned to new logon. |
Security |
Default configuration. | Event 4634: An account was logged off. Legacy: Events 538: User Logoff. |
Security |
Default configuration. Only logged on for Interactive and RemoteInteractive logons. |
Event 4647: User initiated logoff. Legacy: Events 551: User initiated logoff. |
Security |
Requires Audit Other Logon/Logoff Events to be enabled. |
Event 4649: A replay attack was detected. Event 4778: A session was reconnected to a Window Station. Event 4779: A session was disconnected from a Window Station. Event 4800: The workstation was locked. Event 4801: The workstation was unlocked. Event 4802: The screen saver was invoked. Event 4803: The screen saver was dismissed. Event 5378: The requested credentials delegation was disallowed by policy. Event 5632: A request was made to authenticate to a wireless network. Event 5633: A request was made to authenticate to a wired network. |
Microsoft-Windows-SMBServer/Security |
Default configuration. Introduced in Windows 10 version 1507 and Windows Server 2012R2 Update3. |
Event 551: SMB Session Authentication Failure. Generated upon failed login attempts over SMB. While invalid credentials are a common cause, other circumstances can also trigger events 551. For instance, if the “Microsoft network server: Server SPN target name validation level” policy is enabled (SmbServerNameHardeningLevel registry key), an authentication relay attempts (mismatch between server target) can also generate this event. Includes information about the client’s IP address, username, and authentication error code. |
Security Event ID 4624
Location: destination machine Security.evtx.
Event ID: 4624: An account was successfully logged on.
Privileged logon will generate an additional Security event: 4672: Special
privileges assigned to new logon.
The 4624 event yields information such as:
- The SID
SubjectUserSid, account nameSubjectUserName, and domainSubjectDomainNameof the user logging in. - the source machine hostname
WorkstationName, IPIpAddressand portIpPortif the event corresponds to remote login (otherwise the three aforementioned fields are set to-). - The authentication protocol in the
AuthenticationPackageNamefield (NTLM,KerberosorNegotiate) used for the logging. If the logon is made through theNTLMprotocol, theLmPackageNamefield precisely identify theNTLMversion in use (LM,NTLM V1,NTLM V2). - The logon type in the
LogonTypefield (detailed below). - The privileges level in the
ElevatedTokenfield. If set to%%1842(Yes), the session the event represents runs in an elevated context. The event can be correlated with theSecurityeventEID: 4672to precisely identify the privilege tokens of the session. - The impersonation level of the event in the
ImpersonationLevelfield (detailed below). - the
LogonIDfield identifying the logon session, which can be correlated with various otherSecurityevents.
LogonType
The LogonType field provides information on how the logging was established:
| Logon Type | Description |
|---|---|
| 2 | Interactive logon. Logon type generated for on screen login at the keyboard as well as some remote access with specific tools. Note that access made using PsExec with a user specified using the -u option will result in an interactive logon. |
| 3 | Network logon (share access, etc.). Logon type generated for access over the network (access to SMB share, PsExec, WMI/WinRM, etc.). |
| 4 | Batch logon (scheduled task) |
| 5 | Service logon (service startup) |
| 7 | Unlock (on screen unlocking) |
| 8 | NetworkCleartext authentication (usually HTTP basic authentication) |
| 9 | NewCredentials authentication (client-side for runas /NetOnly usage) |
| 10 | RemoteInteractive authentication (Terminal Services, Remote Desktop or Remote Assistance) |
| 11 | CachedInteractive authentication (logging using cached credentials when a domain controller cannot be reached) |
Interactive logons (Logon type 2 and Logon type 10) will result in the
storing of the given users secrets (NTLM hash or Kerberos tickets) in
LSASS memory. Knowing which users logged on interactively on a system can
help determine which accounts could be compromised following the takeover of a
system by an attacker.
ImpersonationLevel
The ImpersonationLevel field may take the following values:
| Flag | Correspondence | Description |
|---|---|---|
- |
SecurityAnonymous |
The server process cannot obtain security information about the client. |
%%1832 |
Identification |
The server process can obtain information about the client but cannot impersonate the client and thus the client has no privileges. |
%%1833 |
Impersonation |
The server process can obtain information and impersonate the client’s security context on the local system. |
%%1840 |
Delegation |
The server process can impersonate the client’s security context on remote systems. |
Security Event ID 4672
Location: destination machine Security.evtx.
Event ID: 4672: Special privileges assigned to new logon.
This event occurs whenever an account is assigned one, or more, of the following privileges:
- SeTcbPrivilege
- SeBackupPrivilege
- SeCreateTokenPrivilege
- SeDebugPrivilege
- SeEnableDelegationPrivilege
- SeAuditPrivilege
- SeImpersonatePrivilege
- SeLoadDriverPrivilege
- SeSecurityPrivilege
- SeSystemEnvironmentPrivilege
- SeAssignPrimaryTokenPrivilege
- SeRestorePrivilege
- SeTakeOwnershipPrivilege
The SubjectLogonId field can be correlated with the Security event
EID: 4624 in order to retrieve more information on the logon session.
Tool(s)
The LogParser’s KAPE module LogParser_LogonLogoffEvents
can be used to parse Security.evtx file(s) and extract the aforementioned
authentication events into a CSV timeline.
References
View on GitHub