Thursday, January 9, 2020

Windows Account Logon Type

There are various types of logon possible in windows operating system like Network, Interactive, Remote etc.

Whenever successful login event occurs event id 4624 is generated, while 4625 is logged for failed logins. On top of what logon event took place you should also look into logon methods used by the user who attempted to login. This information is provided by LogonType in the log. Following are various logon type supported by windows system.

Type of logon:
"LogonType" -> This defines the type of logon. Possible values are as follows


logon_typeInformation
2Interactive
3Network
4Batch
5Service
7Unlock
8NetworkCleartext
9NewCredentials
10RemoteInteractive
11CachedInteractive

More Detail
  • 2 (Interactive)
Console logon of a computer. This event is logged when you attempt to log on at a Windows computer’s local keyboard and screen.
  • 3 (Network)
A user or computer logged on to this computer from the network. This logon event is generated when remote file shares or printers are accessed.

Most logons to Internet Information Services (IIS) are classified as network logons, other than IIS logons that use the basic authentication protocol (those are logged as logon type 8).
  • 4 (Batch)
This is used for scheduled tasks. Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
  • 5 (Service)
A service was started by the Service Control Manager. This is used for services and service accounts that log on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration.
  • 7 (Unlock)
This workstation was unlocked and this logon type is used whenever you unlock your Windows machine.
  • NetworkCleartext
This is used when logging on over the network - when the password is sent in clear text. 

A user logged on to this computer from the network, howerver, user's password was passed to the authentication package in its unhashed form i.e. in cleartext. The credentials should not traverse the network in plaintext.
  • NewCredentials
This is used when you run an application using the RunAs command. A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
  • RemoteInteractive
This is used for the RDP applications like Terminal Services or Remote Assistance. A user logged on to this computer remotely using Terminal Services or Remote Desktop.
  • CachedInteractive
This is logged when users log on using cached credentials. A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.


Below is a Json log sample for Network logon.

{
"EventTime": "2017-12-04 05:00:00",
"Hostname": "LPWXDC.ChangeMe.local",
"Keywords": -9214364837600034816,
"EventType": "AUDIT_SUCCESS",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 4624,
"SourceName": "Microsoft-Windows-Security-Auditing",
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"Version": 1,
"Task": 12544,
"OpcodeValue": 0,
"RecordNumber": 409583434,
"ProcessID": 824,
"ThreadID": 19048,
"Channel": "Security",
"Message": "An account was successfully logged on.",
"Category": "Logon",
"Opcode": "Info",
"SubjectUserSid": "S-1-0-0",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x0",
"TargetUserSid": "S-1-5-18",
"TargetUserName": "LPW",
"TargetDomainName": "LP",
"TargetLogonId": "0x1828eb397",
"LogonType": "3",
"LogonProcessName": "Kerberos",
"AuthenticationPackageName": "Kerberos",
"LogonGuid": "{FD1B49BA-A5E9-5D7D-D3F4-D925B43807F2}",
"TransmittedServices": "-",
"LmPackageName": "-",
"KeyLength": "0",
"ProcessName": "-",
"WorkstationName": "LPLONSERVDBVM",
"IpAddress": "10.0.2.10",
"IpPort": "60208",
"ImpersonationLevel": "%%1833",
"EventReceivedTime": "2017-10-09 05:00:00",
"SourceModuleName": "wineventlog_in",
"SourceModuleType": "im_msvistalog"
}
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)