detection.wiki

Microsoft-Windows-Security-Auditing › Event 4624

Event ID 4624 — An account was successfully logged on.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Logon/Logoff → Logon
Collection Priority
Recommended (Palantir, others)
Opcode
Info

Description

An account was successfully logged on.

Message #

An account was successfully logged on.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Logon Type: %9

New Logon:
	Security ID: %5
	Account Name: %6
	Account Domain: %7
	Logon ID: %8
	Logon GUID: %13

Process Information:
	Process ID: %17
	Process Name: %18

Network Information:
	Workstation Name: %12
	Source Network Address: %19
	Source Port: %20

Detailed Authentication Information:
	Logon Process: %10
	Authentication Package: %11
	Transited Services: %14
	Package Name (NTLM only): %15
	Key Length: %16

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Fields #

NameDescription
SubjectUserSid SID[Subject] Security ID. Indicates the account on the local system which requested the logon.
SubjectUserName UnicodeString[Subject] Account Name. Indicates the account on the local system which requested the logon.
SubjectDomainName UnicodeString[Subject] Account Domain. Indicates the account on the local system which requested the logon.
SubjectLogonId HexInt64[Subject] Logon ID. Indicates the account on the local system which requested the logon.
TargetUserSid SID[New Logon] Security ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
TargetUserName UnicodeString[New Logon] Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
TargetDomainName UnicodeString[New Logon] Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
TargetLogonId HexInt64[New Logon] Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
LogonType UInt32[Logon Information] Logon Type. Indicates the kind of logon that occurred. Logon type reference
LogonProcessName UnicodeString[Detailed Authentication Information] Logon Process. Provides detailed information about this specific logon request.
AuthenticationPackageName UnicodeString[Detailed Authentication Information] Authentication Package. Provides detailed information about this specific logon request.
WorkstationName UnicodeString[Network Information] Workstation Name. Indicates where a remote logon request originated.
LogonGuid GUID[New Logon] Logon GUID. Is a unique identifier that can be used to correlate this event with a KDC event.
TransmittedServices UnicodeString[Detailed Authentication Information] Transited Services. Indicate which intermediate services have participated in this logon request.
LmPackageName UnicodeString[Detailed Authentication Information] Package Name (NTLM only). Indicates which sub-protocol was used among the NTLM protocols.
KeyLength UInt32[Detailed Authentication Information] Key Length. Indicates the length of the generated session key. This will be 0 if no session key was requested.
ProcessId Pointer[Process Information] Process ID.
ProcessName UnicodeString[Process Information] Process Name.
IpAddress UnicodeString[Network Information] Source Network Address. Indicates where a remote logon request originated.
IpPort UnicodeString[Network Information] Source Port. Indicates where a remote logon request originated.
ImpersonationLevel UnicodeString[Logon Information] Impersonation Level. Indicates the extent to which a process in the logon session can impersonate.
Known values
%%1831
Anonymous
%%1832
Identification
%%1833
Impersonation
%%1840
Delegation
RestrictedAdminMode UnicodeString[Logon Information] Restricted Admin Mode.
Known values
%%1842
Yes
%%1843
No
RemoteCredentialGuard UnicodeString[Logon Information] Remote Credential Guard.
Known values
%%1842
Yes
%%1843
No
TargetOutboundUserName UnicodeString[New Logon] Network Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
TargetOutboundDomainName UnicodeString[New Logon] Network Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
VirtualAccount UnicodeString[Logon Information] Virtual Account.
Known values
%%1842
Yes
%%1843
No
TargetLinkedLogonId HexInt64[New Logon] Linked Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
ElevatedToken UnicodeString[Logon Information] Elevated Token.
Known values
%%1842
Yes
%%1843
No

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4624,
    "version": 3,
    "level": 0,
    "task": 12544,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:52.440978+00:00",
    "event_record_id": 2948,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 856
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "TargetUserSid": "S-1-5-18",
    "TargetUserName": "SYSTEM",
    "TargetDomainName": "NT AUTHORITY",
    "TargetLogonId": "0x3e7",
    "LogonType": 5,
    "LogonProcessName": "Advapi  ",
    "AuthenticationPackageName": "Negotiate",
    "WorkstationName": "-",
    "LogonGuid": "00000000-0000-0000-0000-000000000000",
    "TransmittedServices": "-",
    "LmPackageName": "-",
    "KeyLength": 0,
    "ProcessId": "0x30c",
    "ProcessName": "C:\\Windows\\System32\\services.exe",
    "IpAddress": "-",
    "IpPort": "-",
    "ImpersonationLevel": "%%1833",
    "RestrictedAdminMode": "-",
    "RemoteCredentialGuard": "-",
    "TargetOutboundUserName": "-",
    "TargetOutboundDomainName": "-",
    "VirtualAccount": "%%1843",
    "TargetLinkedLogonId": "0x0",
    "ElevatedToken": "%%1842"
  },
  "message": ""
}

Detection Patterns #

Community Notes #

See the Logon Type Reference for a full breakdown of LogonType values and detection guidance.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Show 9 more (12 total)

Elastic # view in reference

  • Potential Pass-the-Hash (PtH) Attempt source medium: Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.
  • Potential Account Takeover - Mixed Logon Types source medium: Identifies a user account (often a service account) that normally logs in with high volume using one logon type suddenly showing successful logons using a different logon type with low count. This pattern may indicate account takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service was expected).
  • Process Creation via Secondary Logon source medium: Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Show 1 more (4 total)
  • Potential Account Takeover - Logon from New Source IP source medium: Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location.

Splunk # view in reference

  • Unusual Number of Remote Endpoint Authentication Events source: The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma rule, to detect deviations from normal behavior. This activity is significant for a SOC as it may indicate lateral movement, malware staging, or reconnaissance. If confirmed malicious, this behavior could allow an attacker to move laterally within the network, escalate privileges, or gather information for further attacks.
  • Windows AD Replication Request Initiated by User Account source: The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. It leverages EventCode 4662 from the Windows Security Event Log, focusing on specific object types and replication permissions. This activity is significant because it can allow an attacker with sufficient privileges to request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of the entire domain.↳ also matches:Event ID 4662: An operation was performed on an object.
  • Windows AD Replication Request Initiated from Unsanctioned Location source: The following analytic identifies unauthorized Active Directory replication requests initiated from non-domain controller locations. It leverages EventCode 4662 to detect when a computer account with replication permissions creates a handle to domainDNS, filtering out known domain controller IP addresses. This activity is significant as it may indicate a DCSync attack, where an attacker with privileged access can request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential full domain compromise.↳ also matches:Event ID 4662: An operation was performed on an object.
Show 4 more (7 total)
  • Windows AD Short Lived Domain Controller SPN Attribute source: The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.↳ also matches:Event ID 5136: A directory service object was modified.
  • Windows Kerberos Local Successful Logon source: The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. It detects EventCode 4624 with LogonType 3 and source address 127.0.0.1, indicating a login to the built-in local Administrator account. This activity is significant as it may suggest a Kerberos relay attack, a method attackers use to escalate privileges. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive systems, execute arbitrary code, or create new accounts in Active Directory, leading to potential system compromise.
  • Windows Rapid Authentication On Multiple Hosts source: The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network.
  • Windows RDP Login Session Was Established source: The following analytic detects instances where a successful Remote Desktop Protocol (RDP) login session was established, as indicated by Windows Security Event ID 4624 with Logon Type 10. This event confirms that a user has not only provided valid credentials but has also initiated a full interactive RDP session. It is a key indicator of successful remote access to a Windows system. When correlated with Event ID 1149, which logs RDP authentication success, this analytic helps distinguish between mere credential acceptance and actual session establishment—critical for effective monitoring and threat detection.

Kusto Query Language # view in reference

  • Multiple RDP connections from Single System source low: 'Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days. Connections from the same system with the same account within the same day. RDP connections are indicated by the EventID 4624 with LogonType = 10'
  • Rare RDP Connections source medium: 'Identifies when an RDP connection is new or rare related to any logon type by a given account today compared with the previous 14 days. RDP connections are indicated by the EventID 4624 with LogonType = 10'

References #