Windows Logon Type Reference
The LogonType field in Microsoft-Windows-Security-Auditing events 4624, 4625, and 4648 is an integer indicating how the user authenticated. Each value maps to a distinct authentication method with different security implications.
Logon Types#
| Value | Name | Description | Detection Context |
|---|---|---|---|
| 0 | System | Used only by the SYSTEM account during OS startup | Normal during boot; unexpected at other times may indicate rootkit activity |
| 2 | Interactive | Local console logon — most commonly occurs when a user physically signs in, but may also be seen with a server KVM or VNC | Expected on workstations; on servers may indicate physical access or KVM |
| 3 | Network | Authentication over the network (SMB, mapped drives, most remote tools). Examples: file share access, vulnerability scanner auth checks, remote PowerShell, PsExec | Primary lateral movement indicator: correlate source IP with known admin hosts |
| 4 | Batch | Scheduled task execution (non-interactive) | Check Task Scheduler for persistence; unusual batch logons may indicate malicious scheduled tasks |
| 5 | Service | Service Control Manager started a service (non-interactive) | Normal for service accounts; investigate if seen with interactive user accounts |
| 7 | Unlock | Workstation unlocked (can include RDP unlock/reconnect) | Generally benign; high frequency from a locked-out account may indicate brute force |
| 8 | NetworkCleartext | Network logon with credentials sent in cleartext (basic HTTP auth, IIS). May indicate a downgrade attack or older admin tool | Credentials exposed on the wire: flag unless expected (e.g. legacy IIS app) |
| 9 | NewCredentials | Caller cloned current token with new credentials for outbound connections. Triggered by runas /netonly, CreateProcessWithLogonW with LOGON_NETCREDENTIALS_ONLY, or LogonUserW with LOGON32_LOGON_NEW_CREDENTIALS | Pass-the-Hash and runas /netonly produce type 9; correlate with source process |
| 10 | RemoteInteractive | Remote Desktop (RDP) or Remote Assistance — a user logged on remotely using Terminal Services | Key RDP indicator: match source IP against expected admin jump hosts |
| 11 | CachedInteractive | Logon using cached domain credentials when domain controller is unreachable (e.g. laptop off-network) | Expected for laptops off-network; on servers may indicate DC connectivity issues |
| 12 | CachedRemoteInteractive | Remote interactive logon using cached credentials. Also seen when Microsoft Live accounts authenticate on standalone workstations | RDP with cached credentials: unusual, may indicate disconnected DC during RDP session |
| 13 | CachedUnlock | Workstation unlock using cached credentials (similar to type 7) | Similar to type 11; expected off-network |
Lateral Movement Indicators#
The following logon types are most relevant when hunting for lateral movement:
| Type | Name | Why It Matters |
|---|---|---|
3 | Network | Most common lateral movement vector: SMB, WMI, PSRemoting, WinRM all produce type 3. Filter by source IP to isolate unexpected origins. |
9 | NewCredentials | Created by runas /netonly and many Pass-the-Hash tools (e.g. Mimikatz sekurlsa::pth). The local session keeps the original token while outbound connections use the new credentials. |
10 | RemoteInteractive | RDP sessions. Hands-on-keyboard access: especially concerning when the source is not a known jump host or PAW. |
Filtering guidance: Start by excluding type 3 logons from known admin workstations and service accounts. Remaining type 3 events, particularly to domain controllers or file servers from unexpected sources, are high-value leads.
Analysis Tips#
- Localhost network logons: LogonType 3 from 127.0.0.1 may indicate service account activity or local COM activation rather than a true remote logon.
- NTLM relay detection: LogonType 3 with LogonProcess
NtLmSspmay indicate an NTLM relay attack. Correlate the source IP with Event 8004 to find mismatches, and check for Anonymous Logon user. - Pass-the-Hash indicators: LogonType 9 with LogonProcess
seclogois a common indicator of Pass-the-Hash activity. - Remote access signals: LogonType 3 and 10 are the primary indicators of remote access and should be the starting point for lateral movement investigations.
Related Events#
- Microsoft-Windows-Security-Auditing Event ID 4624: An account was successfully logged on
- Microsoft-Windows-Security-Auditing Event ID 4625: An account failed to log on
- Microsoft-Windows-Security-Auditing Event ID 4648: A logon was attempted using explicit credentials
- Microsoft-Windows-Security-Auditing Event ID 4634: An account was logged off