Events: 4624, 4625, 4672, 4634, 4647, 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378.
Overview
| Channel | Conditions | Events |
|---|---|---|
Security |
Default configuration. | Event 4624: An account was successfully logged on. Legacy: Events 528: Successful Logon and 540: Successful Network Logon. |
Security |
Default configuration. | Event 4625: An account failed to log on. Legacy: Events 529, 530, 531, 532, 533, 534, 535, 536, 537, and 539. |
Security |
Default configuration. Only logged on for logon with elevated privileges. |
Event 4672: Special privileges assigned to new logon. Legacy: Events 576: Special privileges assigned to new logon. |
Security |
Default configuration. | Event 4634: An account was logged off. Legacy: Events 538: User Logoff. |
Security |
Default configuration. Only logged on for Interactive and RemoteInteractive logons. |
Event 4647: User initiated logoff. Legacy: Events 551: User initiated logoff. |
Security |
Requires Audit Other Logon/Logoff Events to be enabled. |
Event 4649: A replay attack was detected. Event 4778: A session was reconnected to a Window Station. Event 4779: A session was disconnected from a Window Station. Event 4800: The workstation was locked. Event 4801: The workstation was unlocked. Event 4802: The screen saver was invoked. Event 4803: The screen saver was dismissed. Event 5378: The requested credentials delegation was disallowed by policy. Event 5632: A request was made to authenticate to a wireless network. Event 5633: A request was made to authenticate to a wired network. |
Security Event ID 4624
Location: destination machine Security.evtx.
Event ID: 4624: An account was successfully logged on.
Privileged logon will generate an additional Security event: 4672: Special
privileges assigned to new logon.
The 4624 event yields information such as:
- The SID
SubjectUserSid, account nameSubjectUserName, and domainSubjectDomainNameof the user logging in. - the source machine hostname
WorkstationName, IPIpAddressand portIpPortif the event corresponds to remote login (otherwise the three aforementioned fields are set to-). - The authentication protocol in the
AuthenticationPackageNamefield (NTLM,KerberosorNegotiate) used for the logging. If the logon is made through theNTLMprotocol, theLmPackageNamefield precisely identify theNTLMversion in use (LM,NTLM V1,NTLM V2). - The logon type in the
LogonTypefield (detailed below). - The privileges level in the
ElevatedTokenfield. If set to%%1842(Yes), the session the event represents runs in an elevated context. The event can be correlated with theSecurityeventEID: 4672to precisely identify the privilege tokens of the session. - The impersonation level of the event in the
ImpersonationLevelfield (detailed below). - the
LogonIDfield identifying the logon session, which can be correlated with various otherSecurityevents.
LogonType
The LogonType field provides information on how the logging was established:
| Logon Type | Description |
|---|---|
| 2 | Interactive logon. Logon type generated for on screen login at the keyboard as well as some remote access with specific tools. Note that access made using PsExec with a user specified using the -u option will result in an interactive logon. |
| 3 | Network logon (share access, etc.). Logon type generated for access over the network (access to SMB share, PsExec, WMI/WinRM, etc.). |
| 4 | Batch logon (scheduled task) |
| 5 | Service logon (service startup) |
| 7 | Unlock (on screen unlocking) |
| 8 | NetworkCleartext authentication (usually HTTP basic authentication) |
| 9 | NewCredentials authentication (client-side for runas /NetOnly usage) |
| 10 | RemoteInteractive authentication (Terminal Services, Remote Desktop or Remote Assistance) |
| 11 | CachedInteractive authentication (logging using cached credentials when a domain controller cannot be reached) |
Interactive logons (Logon type 2 and Logon type 10) will result in the
storing of the given users secrets (NTLM hash or Kerberos tickets) in
LSASS memory. Knowing which users logged on interactively on a system can
help determine which accounts could be compromised following the takeover of a
system by an attacker.
ImpersonationLevel
The ImpersonationLevel field may take the following values:
| Flag | Correspondence | Description |
|---|---|---|
- |
SecurityAnonymous |
The server process cannot obtain security information about the client. |
%%1832 |
Identification |
The server process can obtain information about the client but cannot impersonate the client and thus the client has no privileges. |
%%1833 |
Impersonation |
The server process can obtain information and impersonate the client’s security context on the local system. |
%%1840 |
Delegation |
The server process can impersonate the client’s security context on remote systems. |
Security Event ID 4672
Location: destination machine Security.evtx.
Event ID: 4672: Special privileges assigned to new logon.
This event occurs whenever an account is assigned one, or more, of the following privileges:
- SeTcbPrivilege
- SeBackupPrivilege
- SeCreateTokenPrivilege
- SeDebugPrivilege
- SeEnableDelegationPrivilege
- SeAuditPrivilege
- SeImpersonatePrivilege
- SeLoadDriverPrivilege
- SeSecurityPrivilege
- SeSystemEnvironmentPrivilege
- SeAssignPrimaryTokenPrivilege
- SeRestorePrivilege
- SeTakeOwnershipPrivilege
The SubjectLogonId field can be correlated with the Security event
EID: 4624 in order to retrieve more information on the logon session.
Tool(s)
The LogParser’s KAPE module LogParser_LogonLogoffEvents
can be used to parse Security.evtx file(s) and extract the aforementioned
authentication events into a CSV timeline.
References
View on GitHub