Artifact Analysis: Windows Logon Events (4624 & 4625)
1. The Rosetta Stone: Understanding “Logon Types”
Section titled “1. The Rosetta Stone: Understanding “Logon Types””The most critical field within a 4624 or 4625 event is the Logon Type. It defines the exact mechanism used to authenticate. Without contextualizing the Logon Type, the event is largely meaningless.
| Logon Type | Name | Forensic Relevance & TTPs |
|---|---|---|
| 2 | Interactive | Physical login at the keyboard. High relevance if an attacker gains physical access, or uses local virtualization console access (e.g., VMware vSphere console). |
| 3 | Network | Access to a remote resource, typically an SMB share or RPC call. The most common indicator of Lateral Movement. Attackers using PsExec or WMI will generate Type 3 events. |
| 4 | Batch | Execution of a scheduled task. Crucial for investigating Scheduled Task Persistence. |
| 5 | Service | A Windows service starting up. |
| 7 | Unlock | A user unlocking an existing locked session. |
| 10 | RemoteInteractive | Connection via Remote Desktop Protocol (RDP) or Terminal Services. A prime indicator of remote graphical access by an adversary. |
| 11 | CachedInteractive | Physical logon using cached credentials (e.g., a laptop disconnected from the Domain Controller). |
2. Anatomy of Event 4624 (Successful Logon)
Section titled “2. Anatomy of Event 4624 (Successful Logon)”When analyzing a 4624 event, DFIR analysts must parse the XML data into distinct operational categories.
- Subject (Who initiated the action?): This is the account that requested the logon. For network logons (Type 3), this is often
SYSTEM, as the local system processes the incoming network request. - New Logon (Who authenticated?):
Security ID/Account Name: The specific user account that successfully logged in.Account Domain: Differentiates between local accounts (the hostname) and domain accounts (the AD domain).TargetLogonId: A highly valuable hexadecimal ID. Analysts can use this ID to correlate the login event with subsequent Event 4688 (Process Creation) events or the eventual Event 4634/4647 (Logoff) to determine exact session duration.
- Network Information (Where from?):
Source Network Address: The IP address of the machine originating the connection. This is the primary pivot point for tracing lateral movement.
- Detailed Authentication Information:
3. DFIR Investigation Scenarios
Section titled “3. DFIR Investigation Scenarios”A. Brute Force & Password Spraying
Section titled “A. Brute Force & Password Spraying”- The Signature: A massive volume of Event 4625 (Failed) across multiple accounts originating from a single or a handful of
Source Network Addresses, abruptly followed by a single Event 4624 (Success) for one of those accounts. - Hunting Strategy: Query Domain Controllers (DCs) for excessive 4625 events. In cloud environments, correlate this with Entra ID sign-in logs.
B. Tracing Lateral Movement
Section titled “B. Tracing Lateral Movement”- The Signature: A successful Event 4624 - Logon Type 3 (Network) on critical servers originating from a compromised workstation’s IP.
- Example: An analyst investigating
WKSTN-01reviews logs onSRV-FINANCE. They find a Type 3 logon forAdminUseroriginating from the IP ofWKSTN-01. This definitively maps the attacker’s internal pivot.
C. Pass-the-Hash (PtH) Detection
Section titled “C. Pass-the-Hash (PtH) Detection”- The Signature: Attackers leveraging stolen NTLM hashes cannot use Kerberos for authentication. Therefore, a successful Event 4624 - Logon Type 3 utilizing the NTLM Authentication Package (instead of Kerberos) in a modern Active Directory environment is a high-fidelity indicator of a Pass-the-Hash attack.
D. Suspicious RDP Hijacking
Section titled “D. Suspicious RDP Hijacking”- The Signature: An Event 4624 - Logon Type 10 (RemoteInteractive) where the
Source Network Addressis a public IP address geographically decoupled from the company’s operations, or originating from a known Tor exit node/VPN service.
4. Threat Hunting & Detection Rules
Section titled “4. Threat Hunting & Detection Rules”Deploy the following behavioral rules in your SIEM to proactively hunt for identity-based attacks.
// Detects potential Password Spraying attacks followed by a successful compromiselet FailedLogons = SecurityEvent| where EventID == 4625| summarize FailedCount = count(), TargetedAccounts = make_set(Account) by IpAddress, bin(TimeGenerated, 10m)| where FailedCount > 20; // Adjust threshold based on environment
let SuccessfulLogons = SecurityEvent| where EventID == 4624| project TimeGenerated, IpAddress, CompromisedAccount = Account;
// Join failed attempts with successful logons from the same IP within a short timeframeFailedLogons| join kind=inner (SuccessfulLogons) on IpAddress| where TimeGenerated >= TimeGenerated - 10m| project TimeGenerated, IpAddress, FailedCount, TargetedAccounts, CompromisedAccount| sort by TimeGenerated desctitle: Potential Pass-the-Hash Activity (NTLM Logon Type 3)id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6dstatus: experimentaldescription: Detects a network logon (Type 3) utilizing NTLM authentication instead of Kerberos for administrative accounts, which is highly indicative of Pass-the-Hash lateral movement.logsource: product: windows service: securitydetection: selection: EventID: 4624 LogonType: 3 AuthenticationPackageName: 'NTLM' # Focus on highly privileged accounts (customize for your environment) TargetUserName|contains|any: - 'admin' - 'svc_' - 'administrator' condition: selectionlevel: hightags: - attack.lateral_movement - attack.t1550.002References & Further Reading
Section titled “References & Further Reading”- SANS Institute: Windows Forensic Analysis
- MITRE ATT&CK: Use Alternate Authentication Material: Pass the Hash (T1550.002)
- Related Artifact: Event ID 4688 & Process Lineage
- Related Artifact: PsExec and Lateral Movement Traces