🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page

Was this helpful?

  1. Windows Artifacts
  2. Event IDs
  3. Authentication / Account

4634 - Account Logoff

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634

Event ID 4634 is a significant event in the Windows security auditing subsystem, indicating an account logoff. This event is logged whenever a logon session is terminated and can be seen across various scenarios, such as user-initiated logoffs, system shutdowns, or when a network session is closed. Monitoring and analyzing these logoff events is crucial for understanding user activity patterns, detecting potential security issues, and ensuring compliance with organizational policies.

Key Details of Event ID 4634

  • Log Location: Security log.

    • %SYSTEM ROOT%\System32\winevt\logs\Security.evtx

  • Category: Audit Logoff

  • Level: Information.

When It Is Logged

Event ID 4634 is generated in several scenarios, including but not limited to:

  • A user logs off from a system interactively.

  • A remote desktop session is disconnected or logged off.

  • A network session to a shared resource is closed.

  • Scheduled tasks or services running under a specific account are stopped.

Information Contained in the Log

An Event ID 4634 log contains important information that helps in identifying the context of the logoff event:

  • Logon Type: This indicates the type of logon session that was terminated. The logon type provides context, such as whether the logoff was from an interactive session, a network connection, or a remote desktop session.

  • Subject: Details about the account that logged off.

    • Security ID: The SID of the account.

    • Account Name: The name of the account.

    • Account Domain: The domain of the account.

    • Logon ID: A unique identifier for the logon session. This ID can be used to correlate with other events, such as a corresponding Event ID 4624 (logon event).

  • Target Logon ID: Identifies the session that was terminated.

Importance for Security

Understanding and monitoring Event ID 4634 is vital for several reasons:

  • User Activity Monitoring: Tracking logoff events helps in creating a baseline of normal user activity and identifying deviations that could indicate security issues, such as unauthorized access or insider threats.

  • Security Investigations: During forensic analysis, correlating logoff events with other security events can provide insights into the actions taken by a user or an attacker before exiting the system.

  • Compliance and Auditing: Many compliance frameworks require detailed logging of user activities, including when users log off. Analyzing these events can help organizations meet their compliance obligations.

Tools and Strategies for Analysis

  • Windows Event Viewer: The Event Viewer allows administrators to manually review and filter Event ID 4634 logs.

  • PowerShell: Administrators can use PowerShell to automate the collection and analysis of logoff events, making it easier to handle large volumes of data or perform regular audits.

  • SIEM Systems: Security Information and Event Management (SIEM) systems can aggregate logoff events from across an organization, enabling more sophisticated analysis, correlation with other events, and real-time alerting on suspicious activities.

PreviousSubStatus CodesNext4648 - Explicit Credentials Success

Last updated 1 year ago

Was this helpful?