Windows Event Logs

Sharing is caring
This entry is part 10 of 13 in the series Incident Response and Forensics

Views: 31

Windows logon types and logon codes

Logs with event IDs 4624 and 4625 are generated every time there is a successful or failed logon on a local computer, respectively.  In Windows, there are several ways a logon can occur locally, and remotely. 

Logon TypeNumeric IdentifierDescriptionLogon Right
Used only by the system0System startup.
Interactive2User logging in at keyboard.Log on locally
Network3A very broad type that includes activity such as mapping network shares and running commands on remote systemsAccess this computer from the network
Batch4Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.Log on as a batch job
Service5A service started by the Service Control Manager.Log on as a service
Unlock7This workstation unlocked.
NetworkCleartext8A user logged on to this computer from the network. The user’s password passed on to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plain text.
Note: NetworkCleartext logons are generated when IIS (Internet Information Services) is configured to use HTTP basic authentication.
NewCredentials9This logon type does not seem to show up in any events. 
Microsoft Explanation: A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity but uses different credentials for other network connections.
RemoteInteractive10User logon via RDP.Log on through Terminal Services
CachedInteractive11A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
CashedRemoteInteractive12Logon that occurs when the remote system is away from the network DC.
CashedUnlock13Unlock that occurs when the remote system is away from the network DC.

Critical Windows Event IDs To Monitor

Logon events

Microsoft’s basic security audit policy best practices suggest defining failure or success for account and general logon events.

Important Logon events to track

  • 4624: User successfully logged on to a computer
  • 4625: Attempt made to logon with unknown user name or bad password and failed
  • 4634: Logoff process completed for user
  • 4647: User Initiated logoff
  • 4648: User successfully logged on to a computer using explicit credentials while already logged on as different user
  • 4779: User disconnected terminal server or virtual host session without logging off
  • 4798: A user’s local group membership was enumerated.
  • 4799: A security-enabled local group membership was enumerated
  • 4820: A Kerberos Ticket-granting-ticket (TGT) was denied
  • 4821: A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions
  • 4822: NTLM authentication failed because the account was a member of the Protected User group
  • 4823: NTLM authentication failed because access control restrictions are required
  • 4824: Kerberos pre-authentication by using DES or RC4 failed because the account was a member of the Protected User group

Privilege use

  • 4103: PowerShell Module Logging
  • 4104: PowerShell Script Block Logging
  • 4656: Request to handle or access an object
  • 4658: Handle to an object was closed
  • 4659: Handle to an object was requested with intent to delete
  • 4660: Object deleted
  • 4663: Attempt to access object was made
  • 4664: Attempt to create a hard link was made
  • 4670: Object permissions were changed
  • 4672: Special Privileges Assigned to New Logon
  • 4673: Calling privileged service
  • 4674: Attempted operation on a privileged object
  • 4985: Transaction state change
  • 4691: Indirect access to an object was requested.
  • 4698: A scheduled task was created.
  • 4699: A scheduled task was deleted.
  • 4700: A scheduled task was enabled.
  • 4701: A scheduled task was disabled.
  • 4702: A scheduled task was updated.
  • 5051: File was virtualized

Important Events related to Windows Server

The following Event IDs can potentially indicate a high criticality event that applies to Windows Server 2022, Windows Server 2019, Windows Server:

  • 1100: The event logging service has shut down
  • 1101: Audit events have been dropped by the transport.
  • 1102: Audit log cleared
  • 1104: The security Log is now full
  • 4618: Monitored security event pattern occurred
  • 4649: Potential replay attack detected
  • 4719: Change to system audit policy
  • 4765: SID History added to an account
  • 4766: Failed attempt to add SID History to an account
  • 4794: Attempt at setting Directory Services Restore Mode
  • 4897: Role separation enabled
  • 4964: Special groups assigned new logon
  • 5124: Update to security setting on OCSP Responder Service


Events related to Microsoft Defender Antivirus

  • 1002: malware scan stopped before completing scan
  • 1003: malware scan paused
  • 1005: malware scan failed
  • 1006, 1116: malware or unwanted software detected
  • 1007, 1117: action to protect system performed
  • 1008, 1118: action to protect system failed
  • 1009: item restored from quarantine
  • 1012: unable to delete item in quarantine
  • 1015: suspicious behavior detected
  • 1119: critical error occurred when taking action

Common logon types and their attributes relative to credential theft:

Logon type#Authenticators acceptedReusable credentials in LSA sessionExamples
Interactive (also known as, Logon locally)2Password, Smartcard,
other
YesConsole logon;
RUNAS;
Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)
IIS Basic Auth (before IIS 6.0)
Network3Password,
NT Hash,
Kerberos ticket
No (except if delegation is enabled, then Kerberos tickets present)NET USE;
RPC calls;
Remote registry;
IIS integrated Windows auth;
SQL Windows auth;
Remote Desktop Gateway
PsExec without explicit creds (ex:  PsExec \\server cmd);
PowerShell WinRM (ex:Enter-PSSession server)
Vulnerability scanners
Batch4Password (stored as LSA secret)YesScheduled tasks
Service5Password (stored as LSA secret)YesWindows services
NetworkCleartext8PasswordYesIIS Basic Auth (IIS 6.0 and newer);
Windows PowerShell with CredSSP
NewCredentials9PasswordYesRUNAS /NETWORK
RemoteInteractive10Password, Smartcard,
other
YesRemote Desktop (formerly known as “Terminal Services”)
  • Authenticators accepted – Indicates which types of authenticators are able to initiate a logon of this type.
  • Reusable credentials in LSA session – Indicates whether the logon type results in the LSA session holding credentials, such as plaintext passwords, NT hashes, or Kerberos tickets that could be used to authenticate to other network resources.

References

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l–events-to-monitor

https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter3

https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types

Series Navigation<< Analysis with WiresharkIncident Report Template >>