4624 - Authentication Success
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
Last updated
Was this helpful?
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
Last updated
Was this helpful?
Event ID 4624 is a critical event in Windows security auditing and monitoring, signaling a successful account logon. This event is generated on the machine where the logon session was created, typically a user's workstation or a server acting as a destination of a remote logon request (e.g., RDP, network share access). Analyzing these events is essential for security operations to track user activities, detect unauthorized access, and ensure compliance with security policies.
Log Location: Security log.
%SYSTEM ROOT%\System32\winevt\logs\Security.evtx
Category: Audit Logon
Level: Information.
Event ID 4624 is logged whenever an account successfully logs on to a system. This includes various scenarios such as:
A user logs on to their workstation.
A user accesses another computer over the network.
A service starts with a specific user account.
Scheduled tasks initiate using a user's credentials.
An Event ID 4624 log contains several pieces of crucial information:
: Indicates the logon method (interactive, network, remote desktop, batch, service, etc.). Each logon type has a specific number associated with it, which helps in understanding the context of the logon.
Subject: Information about the account that requested the logon (not always applicable).
Security ID: The SID of the account.
Account Name: The name of the account.
Account Domain: The domain of the account.
Logon ID: A value that identifies the logon session. This can be useful for correlating to other events related to the same session.
Logon Information: Details about the user and session.
User Name and Domain: The name and domain of the user who logged on.
Logon ID: Uniquely identifies the logon session.
Logon GUID: A GUID that identifies the logon session.
Authentication Package: The name of the authentication package that processed the logon request.
Network Information: Details about network logons.
Workstation Name: The name of the workstation from which the logon request originated.
Source Network Address and Port: Indicates the source IP address and port number for the logon request (mainly applicable for remote logons).
Detailed Authentication Information: Provides details about the authentication process.
Logon Process: The process that managed the logon.
Authentication Package: The package that was used to authenticate the user.
Transited Services: Lists the services that participated in the logon request.
Package Name (NTLM only): Shows the NTLM package name if NTLM was used for authentication.
Impersonation Level: Indicates the level of impersonation (e.g., impersonation, delegation).
Analyzing Event ID 4624 entries is crucial for several reasons:
Access Tracking and User Activity Monitoring: Helps in understanding user behavior by tracking when and how users log on to systems.
Unauthorized Access Detection: By analyzing logon patterns and types, it's possible to detect unusual or unauthorized access attempts.
Forensic Analysis: In the event of a security incident, these logs provide invaluable insights into the actions taken by users or attackers.
Compliance: Many regulatory frameworks require detailed logging of user activities, including successful logon attempts.
Windows Event Viewer: Allows for manual inspection and filtering of event logs.
PowerShell: Scripts can automate the extraction and analysis of 4624 events for patterns or anomalies.
SIEM Systems: Aggregate 4624 events from across the environment to provide centralized monitoring and alerting on suspicious activities.
Alerting Mechanisms: Configuring alerts for anomalous logon patterns (e.g., logons at unusual hours, logon types that are uncommon for a user) can help in quickly detecting potential security issues.