diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index 07fdf70e44..84e8eaa64e 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -1,5 +1,5 @@ --- -title: 4624(S) An account was successfully logged on. +title: 4624(S) An account was successfully logged on. description: Describes security event 4624(S) An account was successfully logged on. ms.pagetype: security ms.mktglfcycl: deploy @@ -7,12 +7,10 @@ ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/07/2021 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.collection: - - highpri - - tier3 +ms.collection: tier3 ms.topic: reference --- @@ -97,7 +95,7 @@ This event generates when a logon session is created (on destination machine). I - Added "Impersonation Level" field. -- 2 – Windows 10. +- 2 - Windows 10. - Added "Logon Information:" section. @@ -119,16 +117,16 @@ This event generates when a logon session is created (on destination machine). I **Subject:** -- **Security ID** [Type = SID]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you will see the source data in the event. +- **Security ID** [Type = SID]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. - This field may also contain no subject user information, but the NULL Sid "S-1-0-0" and no user or domain information. + This field can also contain no subject user information, but the NULL Sid "S-1-0-0" and no user or domain information. > [!NOTE] > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it can't ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** [Type = UnicodeString]**:** the name of the account that reported information about successful logon. -- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following: +- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following information: - Domain NETBIOS name example: CONTOSO @@ -138,13 +136,13 @@ This event generates when a logon session is created (on destination machine). I - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81". + - For local user accounts, this field contains the name of the computer or device that this account belongs to, for example: `Win81`. - **Logon ID** [Type = HexInt64]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4672](event-4672.md)(S): Special privileges assigned to new logon." **Logon Information** [Version 2]**:** -- **Logon Type** [Version 0, 1, 2] [Type = UInt32]**:** the type of logon which was performed. The table below contains the list of possible values for this field. +- **Logon Type** [Version 0, 1, 2] [Type = UInt32]**:** the type of logon that happened. The following table contains the list of possible values for this field. ## Logon types and descriptions @@ -153,46 +151,46 @@ This event generates when a logon session is created (on destination machine). I | `0` | `System` | Used only by the System account, for example at system startup. | | `2` | `Interactive` | A user logged on to this computer. | | `3` | `Network` | A user or computer logged on to this computer from the network. | -| `4` | `Batch` | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | -| `5` | `Service` | A service was started by the Service Control Manager. | +| `4` | `Batch` | Batch logon type is used by batch servers, where processes can be run on behalf of a user without their direct intervention. | +| `5` | `Service` | The Service Control Manager started a service. | | `7` | `Unlock` | This workstation was unlocked. | -| `8` | `NetworkCleartext` | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). | +| `8` | `NetworkCleartext` | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials don't traverse the network in plaintext (also called cleartext). | | `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | | `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | -| `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | -| `12` | `CachedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. | +| `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller wasn't contacted to verify the credentials. | +| `12` | `CachedRemoteInteractive` | Same as RemoteInteractive. This type is used for internal auditing. | | `13` | `CachedUnlock` | Workstation logon. | -- **Restricted Admin Mode** [Version 2] [Type = UnicodeString]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. +- **Restricted Admin Mode** [Version 2] [Type = UnicodeString]**:** Only populated for **RemoteInteractive** logon type sessions. This value is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Windows 8.1 and Windows Server 2012 R2, but this flag was added to the event in Windows 10. Reference: . - If not a **RemoteInteractive** logon, then this will be "-" string. + If not a **RemoteInteractive** logon, then this value is the string: `-` -- **Virtual Account** [Version 2] [Type = UnicodeString]**:** a "Yes" or "No" flag, which indicates if the account is a virtual account (e.g., "[Managed Service Account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560633(v=ws.10))"), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using "NetworkService". +- **Virtual Account** [Version 2] [Type = UnicodeString]**:** a "Yes" or "No" flag, which indicates if the account is a virtual account (for example, "[Managed Service Account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560633(v=ws.10))"), which was introduced in Windows 7 and Windows Server 2008 R2 to identify the account that a given Service uses, instead of just using "NetworkService". - **Elevated Token** [Version 2] [Type = UnicodeString]**:** a "Yes" or "No" flag. If "Yes", then the session this event represents is elevated and has administrator privileges. **Impersonation Level** [Version 1, 2] [Type = UnicodeString]: can have one of these four values: -- SecurityAnonymous (displayed as **empty string**): The server process cannot obtain identification information about the client, and it cannot impersonate the client. It is defined with no value given, and thus, by ANSI C rules, defaults to a value of zero. +- SecurityAnonymous (displayed as **empty string**): The server process can't obtain identification information about the client, and it can't impersonate the client. It's defined with no value given, and thus, by ANSI C rules, defaults to a value of zero. -- SecurityIdentification (displayed as "**Identification**"): The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. This is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context. +- SecurityIdentification (displayed as "**Identification**"): The server process can obtain information about the client, such as security identifiers and privileges, but it can't impersonate the client. This value is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context. -- SecurityImpersonation (displayed as "**Impersonation**"): The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems. This is the most common type. +- SecurityImpersonation (displayed as "**Impersonation**"): The server process can impersonate the client's security context on its local system. The server can't impersonate the client on remote systems. This type is the most common. - SecurityDelegation (displayed as "**Delegation**"): The server process can impersonate the client's security context on remote systems. **New Logon:** -- **Security ID** [Type = SID]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** [Type = SID]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > [!NOTE] > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** [Type = UnicodeString]**:** the name of the account for which logon was performed. -- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following: +- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following information: - Domain NETBIOS name example: CONTOSO @@ -202,19 +200,19 @@ This event generates when a logon session is created (on destination machine). I - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81". + - For local user accounts, this field contains the name of the computer or device that this account belongs to, for example: `Win81`. - **Logon ID** [Type = HexInt64]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4672](event-4672.md)(S): Special privileges assigned to new logon." -- **Linked Logon ID** [Version 2] [Type = HexInt64]**:** A hexadecimal value of the paired logon session. If there is no other logon session associated with this logon session, then the value is "**0x0**". +- **Linked Logon ID** [Version 2] [Type = HexInt64]**:** A hexadecimal value of the paired logon session. If there's no other logon session associated with this logon session, then the value is "**0x0**". -- **Network Account Name** [Version 2] [Type = UnicodeString]**:** User name that will be used for outbound (network) connections. Valid only for [NewCredentials](#logon-types-and-descriptions) logon type. +- **Network Account Name** [Version 2] [Type = UnicodeString]**:** User name that's used for outbound (network) connections. Valid only for [NewCredentials](#logon-types-and-descriptions) logon type. - If not **NewCredentials** logon, then this will be a "-" string. + If not **NewCredentials** logon, then this value will be the string: `-` -- **Network Account Domain** [Version 2] [Type = UnicodeString]**:** Domain for the user that will be used for outbound (network) connections. Valid only for [NewCredentials](#logon-types-and-descriptions) logon type. +- **Network Account Domain** [Version 2] [Type = UnicodeString]**:** Domain for the user that's used for outbound (network) connections. Valid only for [NewCredentials](#logon-types-and-descriptions) logon type. - If not **NewCredentials** logon, then this will be a "-" string. + If not **NewCredentials** logon, then this value will be the string: `-` - **Logon GUID** [Type = GUID]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, "[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller. @@ -243,32 +241,32 @@ This event generates when a logon session is created (on destination machine). I - **Source Network Address** [Type = UnicodeString]**:** IP address of machine from which logon attempt was performed. - - IPv6 address or ::ffff:IPv4 address of a client. + - IPv6 address or IPv4 address of a client. - - ::1 or 127.0.0.1 means localhost. + - `::1` or `127.0.0.1` means localhost. -- **Source Port** [Type = UnicodeString]: source port which was used for logon attempt from remote machine. +- **Source Port** [Type = UnicodeString]: The source port that was used for logon attempt from remote machine. - 0 for interactive logons. - - > [!NOTE] - The fields for IP address/port and workstation name are populated depending on the authentication context and protocol used. LSASS will audit the information the authenticating service shares with LSASS. For example, network logons with Kerberos likely have no workstation information, and NTLM logons have no TCP/IP details. + +> [!NOTE] +> The fields for IP address/port and workstation name are populated depending on the authentication context and protocol used. LSASS will audit the information the authenticating service shares with LSASS. For example, network logons with Kerberos likely have no workstation information, and NTLM logons have no TCP/IP details. **Detailed Authentication Information:** - **Logon Process** [Type = UnicodeString]**:** the name of the trusted logon process that was used for the logon. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information. -- **Authentication Package** [Type = UnicodeString]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are: +- **Authentication Package** [Type = UnicodeString]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are: - - **NTLM** – NTLM-family Authentication + - **NTLM** - NTLM-family Authentication - - **Kerberos** – Kerberos authentication. + - **Kerberos** - Kerberos authentication. - - **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos. + - **Negotiate** - the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it can't be used by one of the systems involved in the authentication or the calling application didn't provide sufficient information to use Kerberos. -- **Transited Services** [Type = UnicodeString] [Kerberos-only]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see +- **Transited Services** [Type = UnicodeString] [Kerberos-only]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user - most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see -- **Package Name (NTLM only)** [Type = UnicodeString]**:** The name of the LAN Manager sub-package ([NTLM-family](/openspecs/windows_protocols/ms-nlmp/c50a85f0-5940-42d8-9e82-ed206902e919) protocol name) that was used during logon. Possible values are: +- **Package Name (NTLM only)** [Type = UnicodeString]**:** The name of the LAN Manager subpackage ([NTLM-family](/openspecs/windows_protocols/ms-nlmp/c50a85f0-5940-42d8-9e82-ed206902e919) protocol name) that was used during logon. Possible values are: - "NTLM V1" @@ -278,7 +276,7 @@ This event generates when a logon session is created (on destination machine). I Only populated if "**Authentication Package" = "NTLM"**. -- **Key Length** [Type = UInt32]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if "**Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have "0" value if Kerberos was negotiated using **Negotiate** authentication package. +- **Key Length** [Type = UInt32]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically it has 128-bit or 56-bit length. This parameter is always 0 if "**Authentication Package" = "Kerberos"**, because it isn't applicable for Kerberos protocol. This field also has a `0` value if Kerberos was negotiated using **Negotiate** authentication package. ## Security Monitoring Recommendations @@ -288,14 +286,14 @@ For 4624(S): An account was successfully logged on. |-----------------------------|-------------------------| | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"New Logon\\Security ID"** (with other information) to monitor how or when a particular account is being used. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the accounts that should never be used. | +| **Non-active accounts**: You might have nonactive, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the accounts that should never be used. | | **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an "allowlist-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allowlist. | -| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. | -| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. | -| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about. | +| **Accounts of different types**: Make sure that certain actions run only by certain account types. For example, local or domain account, machine or user account, or vendor or employee account. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that aren't allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) shouldn't typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you're concerned about. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions. | -- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **"Subject\\Security ID"** is not SYSTEM. +- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **"Subject\\Security ID"** isn't SYSTEM. - If "**Restricted Admin**" mode must be used for logons by certain accounts, use this event to monitor logons by "**New Logon\\Security ID**" in relation to "**Logon Type**"=10 and "**Restricted Admin Mode**"="Yes". If "**Restricted Admin Mode**"="No" for these accounts, trigger an alert. @@ -309,13 +307,13 @@ For 4624(S): An account was successfully logged on. - If the user account **"New Logon\\Security ID"** should never be used to log on from the specific **Computer:**. - - If **New Logon\\Security ID** credentials should not be used from **Workstation Name** or **Source Network Address**. + - If **New Logon\\Security ID** credentials shouldn't be used from **Workstation Name** or **Source Network Address**. - If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses. - - If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** does not equal **NTLM V2**. + - If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** doesn't equal **NTLM V2**. - - If NTLM is not used in your organization, or should not be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM. + - If NTLM isn't used in your organization, or shouldn't be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM. - If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.