Logon Event vs Account Logon Event
As forensic analyst, we’re looking for different kind of information on a Windows system. Among the most popular ones, there are the event id related to connections on a computer. It allows to determine the time period between a user logon and a user logoff and thus looking for malicious activity around this dates and times. Of course, you must have identified a compromised user account before to start this kind of analysis.
Each time a user open or close a Windows session, it creates an entry on the local Security.evtx Windows log. That’s what we call Logon Event.
- Store locally each time a user try to connect (no matter if the connection is initiated remotely or locally)
- EID 4624: Successful Connection
- EID 4634: Successful Disconnection
- EID 4625: Authentication Failed
- EID 4647: Successful Disconnection
Each event ids listed above comes with a property called “Logon Type”. There are several between 2 and 10:
- LogonType 2: Interactive Logon –> Connection with a user behind his screen.
- LogonType 3: Network Logon –> Connection initiated from the network - Could be interpreted as a remote access to a ressource: A user trying to access a folder/document through a network share - Could be interpreted as a RDP connection
- LogonType 7 and 10: RDP connection or reconnection.
Account Logon Event
Each time a user open or close a Windows session using a third party for the authentication, it creates an entry in the Security.evtx Windows log on the Domain Controller responsible for the authentication. That’s what we call Account Logon Event.
- Store on the remote Domain Controller
- EID 4768: Authentication Success – Kerberos
- EID 4769: Authentication Success – Kerberos (not log by default)
- EID 4771: Authentication Failed – Kerberos
- EID 4776: Authentication NTLM - If ResultCode 0x0 – Authentication Success - If ResultCode != 0x0 – Authentication Failed
Sometimes, you’ll observe Account Logon event id stored locally in the Security.evtx on your computer (not on the DC). It indicates the user account used to connect on your machine was a local user account (not a domain user). It tried to authenticate locally through the SAM registry and so, did not use a third party for the authentication process.