- Incident Handling Life Cycle
- Volatility: Perform Memory Forensics with Volatility (Part 01)
- Introduction to Network Forensics
- Netminer
- Splunk SPL 101
- Splunk Fundamentals
- Wireshark 101 | Packet Operations
- Wireshark 101 | Traffic Analysis
- Analysis with Wireshark
- Windows Event Logs
- Incident Report Template
- Code Obfuscation and Deobfuscation
Views: 15
Windows logon types and logon codes
Logs with event IDs 4624 and 4625 are generated every time there is a successful or failed logon on a local computer, respectively. In Windows, there are several ways a logon can occur locally, and remotely.
| Logon Type | Numeric Identifier | Description | Logon Right |
|---|---|---|---|
| Used only by the system | 0 | System startup. | |
| Interactive | 2 | User logging in at keyboard. | Log on locally |
| Network | 3 | A very broad type that includes activity such as mapping network shares and running commands on remote systems | Access this computer from the network |
| Batch | 4 | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | Log on as a batch job |
| Service | 5 | A service started by the Service Control Manager. | Log on as a service |
| Unlock | 7 | This workstation unlocked. | |
| NetworkCleartext | 8 | A user logged on to this computer from the network. The user’s password passed on to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plain text. Note: NetworkCleartext logons are generated when IIS (Internet Information Services) is configured to use HTTP basic authentication. | |
| NewCredentials | 9 | This logon type does not seem to show up in any events. Microsoft Explanation: A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity but uses different credentials for other network connections. | |
| RemoteInteractive | 10 | User logon via RDP. | Log on through Terminal Services |
| CachedInteractive | 11 | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | |
| CashedRemoteInteractive | 12 | Logon that occurs when the remote system is away from the network DC. | |
| CashedUnlock | 13 | Unlock that occurs when the remote system is away from the network DC. |
Critical Windows Event IDs To Monitor
Logon events
Microsoft’s basic security audit policy best practices suggest defining failure or success for account and general logon events.
Important Logon events to track
- 4624: User successfully logged on to a computer
- 4625: Attempt made to logon with unknown user name or bad password and failed
- 4634: Logoff process completed for user
- 4647: User Initiated logoff
- 4648: User successfully logged on to a computer using explicit credentials while already logged on as different user
- 4779: User disconnected terminal server or virtual host session without logging off
- 4798: A user’s local group membership was enumerated.
- 4799: A security-enabled local group membership was enumerated
- 4820: A Kerberos Ticket-granting-ticket (TGT) was denied
- 4821: A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions
- 4822: NTLM authentication failed because the account was a member of the Protected User group
- 4823: NTLM authentication failed because access control restrictions are required
- 4824: Kerberos pre-authentication by using DES or RC4 failed because the account was a member of the Protected User group
Privilege use
- 4103: PowerShell Module Logging
- 4104: PowerShell Script Block Logging
- 4656: Request to handle or access an object
- 4658: Handle to an object was closed
- 4659: Handle to an object was requested with intent to delete
- 4660: Object deleted
- 4663: Attempt to access object was made
- 4664: Attempt to create a hard link was made
- 4670: Object permissions were changed
- 4672: Special Privileges Assigned to New Logon
- 4673: Calling privileged service
- 4674: Attempted operation on a privileged object
- 4985: Transaction state change
- 4691: Indirect access to an object was requested.
- 4698: A scheduled task was created.
- 4699: A scheduled task was deleted.
- 4700: A scheduled task was enabled.
- 4701: A scheduled task was disabled.
- 4702: A scheduled task was updated.
- 5051: File was virtualized
Important Events related to Windows Server
The following Event IDs can potentially indicate a high criticality event that applies to Windows Server 2022, Windows Server 2019, Windows Server:
- 1100: The event logging service has shut down
- 1101: Audit events have been dropped by the transport.
- 1102: Audit log cleared
- 1104: The security Log is now full
- 4618: Monitored security event pattern occurred
- 4649: Potential replay attack detected
- 4719: Change to system audit policy
- 4765: SID History added to an account
- 4766: Failed attempt to add SID History to an account
- 4794: Attempt at setting Directory Services Restore Mode
- 4897: Role separation enabled
- 4964: Special groups assigned new logon
- 5124: Update to security setting on OCSP Responder Service
Events related to Microsoft Defender Antivirus
- 1002: malware scan stopped before completing scan
- 1003: malware scan paused
- 1005: malware scan failed
- 1006, 1116: malware or unwanted software detected
- 1007, 1117: action to protect system performed
- 1008, 1118: action to protect system failed
- 1009: item restored from quarantine
- 1012: unable to delete item in quarantine
- 1015: suspicious behavior detected
- 1119: critical error occurred when taking action
Common logon types and their attributes relative to credential theft:
| Logon type | # | Authenticators accepted | Reusable credentials in LSA session | Examples |
|---|---|---|---|---|
| Interactive (also known as, Logon locally) | 2 | Password, Smartcard, other | Yes | Console logon; RUNAS; Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server) IIS Basic Auth (before IIS 6.0) |
| Network | 3 | Password, NT Hash, Kerberos ticket | No (except if delegation is enabled, then Kerberos tickets present) | NET USE; RPC calls; Remote registry; IIS integrated Windows auth; SQL Windows auth; Remote Desktop Gateway PsExec without explicit creds (ex: PsExec \\server cmd); PowerShell WinRM (ex:Enter-PSSession server) Vulnerability scanners |
| Batch | 4 | Password (stored as LSA secret) | Yes | Scheduled tasks |
| Service | 5 | Password (stored as LSA secret) | Yes | Windows services |
| NetworkCleartext | 8 | Password | Yes | IIS Basic Auth (IIS 6.0 and newer); Windows PowerShell with CredSSP |
| NewCredentials | 9 | Password | Yes | RUNAS /NETWORK |
| RemoteInteractive | 10 | Password, Smartcard, other | Yes | Remote Desktop (formerly known as “Terminal Services”) |
- Authenticators accepted – Indicates which types of authenticators are able to initiate a logon of this type.
- Reusable credentials in LSA session – Indicates whether the logon type results in the LSA session holding credentials, such as plaintext passwords, NT hashes, or Kerberos tickets that could be used to authenticate to other network resources.
References
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l–events-to-monitor
https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter3