Channel: Security.
Events: 4648, 4624 (LogonType 9).

Overview

Channel Conditions Events
Security Default configuration.

Only logged whenever alternate credentials are used.
Event 4648: A logon was attempted using explicit credentials.

Legacy:
Events 552: Logon attempt using explicit credentials.
Security Default configuration.

Only logged for runas /NetOnly (and similar) process execution.
Event 4624: An account was successfully logged on, with LogonType 9 and the specified alternate credentials as Network Account Domain and Network Account Name.

Using the runas command with the /NetOnly switch will generate an 4624 event with a LogonType 9, a Seclogo LogonProcess, and svchost.exe as the originating process. With the /NetOnly switch, Windows will not try to validate the specified credentials. The new process will run as the currently logged on user for local access, but any network connections to other computers will be made using the user account specified. This is due to the fact that, following a runas /NetOnly, Windows will create a new Logon Session with the provided credentials but will copy the current access token for the new process. Access to local resources will leverage that access token, while network connections will be made using the credentials associated with the Logon Session. Beyond runas /NetOnly, this LogonType 9, Seclogo LogonProcess, and svchost.exe originating process combination can be an indicator that a Pass-The-Hash attack was conducted.

Without the /NetOnly switch, runas will generate 4624 (LogonType 2) and 4648 events in close proximity.

Security Event ID 4648

Windows Security Log Event ID 4648: A logon was attempted using explicit credentials.

Includes information about the target server: Target Server Name (hostname or IP) and Additional Information of the service requested.

The TargetServerName and TargetInfo fields can reference information about the remote server and service (such as TargetInfo set to TERMSRV/<HOSTNAME> for outgoing RDP).

References



View on GitHub