What is Event ID 4624: An Account was Successfully Logged On. What is that log in your Domain Controller event log? In this article, we learn more about this event and examine its properties.
Event ID 4624 indicates a user has successfully signed in to a Domain Controller (or a workstation). However, it is worth analysing the event log, especially, if the account is not familiar to you or if you suspect that an AD account may be compromised.
Learn here about Event ID 4624 and how to troubleshoot any problems in your Active Directory environment due to this event.
Event ID 4624 "Subject" Properties
The event’s Subject has the following sub-properties:
1. Security ID (SID): account’s SID (security identifier) that reported the successful login. The Event Viewer attempts to automatically resolve the SID of the account that registered the event.
However, if it cannot resolve the account’s SID (as in most cases), event ID 4624 logs a NULL SID (no value) in the Security ID field.
2. Account Name: reports the account name registering the successful account login. This information helps you to determine whether this is a legitimate user or service account in Active Directory.
As with the Security ID field, the Account Name field may be blank. If the account name filed is not registered here, it may be registered in the “New Logon” property (see section 4 below).
3. Account Domain: the account’s domain that registered the event (“subject’s domain”). Alternatively, Account Domain could display the computer’s name that registered the successful logon event.
Event ID 4624 displays the Account Domain in one of 3 ways: the NetBIOS name of the domain, for example, infrasos, the fully qualified domain name in lowercase (infrasos.com), or uppercase (INFRASOS.COM).
Despite how Event Viewer registers the Account Domain field, the information helps you determine the AD domain that the account belongs. This information is useful for troubleshooting, especially, if you manage a multi-domain AD Forest.
4. Logon ID: This field is a hexadecimal value you can use to correlate this event with recent events that may have the same Logon ID. Moreover, this helps you identify any patterns or anomalies in the events and troubleshoot any related issues.
Event ID 4624 "Logon Information" Properties
The Logon Information section of event ID 4624 – An account was successfully logged on – has 4 sub-properties – Logon Type, Restricted Admin Mode, Virtual Account and Elevated Token.
1. Logon Type: the type of logon that registered the successful logon event. The values are from 0 to 13.
To learn the meaning of each number, visit the Logon types and descriptions section of Microsoft’s page for event 4624.
The information recorded in the “Logon Type” field of event ID 4624 helps admins to determine how the logon happened.
Pro Tip: if event id 4624 registers a Logon Type of 10 (RemoteInteractive logins) with a loopback source network (127.0.0.0), you treat this as a suspicious successful logon, as it could indicate an RDP tunnelling attack.
See this guide’s Network Information section for “source network” information.
2. Restricted Admin Mode: only populated, if a user successfully logs on remotely using Terminal Services or Remote Desktop (“Logon Type” 10, RemoteInteractive logon type sessions).
The value of Restricted Admin Mode is boolean (Yes or No) – showing if the credentials provided were passed utilizing Restricted Admin mode. If the logon type is not 10, the Restricted Admin mode field is “-” string.
3. Virtual Account: is a Yes or No field, indicating whether the account that registered the successful logon is a virtual account or not. An example of a virtual account is Managed Service Account (introduced in Windows 7 and Windows Server 2008 R2.
4. Elevated Token: also a Yes or No field, that indicates whether the account that triggered the successful logon (event ID 4624) is an admin account.
Event ID 4624 "Impersonation Level" Properties
The impersonation level field shows how much a process in the logon session impersonates. The client has granted the server permission to act on its behalf if there is successful impersonation.
When this happens, Impersonation levels indicate the extent of authority granted to a server, when it assumes a client’s identity. These levels are characterized by different degrees of impersonation registered in event ID 4624.
The different levels of impersonation that are recorded on event log 4624 for a successful logon are as follows:
1. Anonymous: the server acknowledges, that it does not know the client’s identity. Therefore, the server cannot assume and impersonate the client’s identity.
2. Identification: the default level. Moreover, suppose this is registered as the Impersonation Level. In that case, the client allows the server to acquire its identity and perform Access Control List (ACL) verifications by assuming the client’s identity.
3. Impersonation: assumes the client’s security context in this predominant form of impersonation. However, on remote systems, the server cannot impersonate the client.
4. Delegation: indicates that the server process impersonates the client’s security context on remote systems.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Event ID 4624 "New Logon" Properties
The New Logon fields show the account that logged on, which is the account for whom the new logon was created.
By comparing the computer name with the Account Domain, you determine whether account is local or domain. If the computer name matches the Account Domain, the account is a local account on that system.
However, if they do not match, it is a domain account.
The New Logon field comprises several sub-fields, divided into 2 categories – Account and Network information of the user.
"New Logon" Account Information Fields
1. Security ID (SID): security identifier of the account that registered the “successfully logged on” event ID 4624. When the Event Viewer logs this event, it tries to resolve the SID.
However, if it cannot resolve the SID to the account name, it displays the source of the event instead.
2. Account Name: performs the successful logon.
3. Account Domain: Event log could register the following formats for the domain name: NETBIOS (for example, infrasos), lowercase (infrasos.com), or uppercase (INFRASOS.COM) formats.
Furthermore, the Account Domain field displays “NT AUTHORITY” if the logon account is a LOCAL SERVICE or ANONYMOUS LOGON.
4. Logon ID: hexadecimal value like 0x8A1E427. Crucial for troubleshooting because it links this event with other recent events that have the same Logon ID.
5. Linked Logon ID: represents a hexadecimal value assigned to the corresponding logon session. In cases where there are no other associated logon events, the value of Linked Logon ID is “0x0”.
6. Logon GUID: field, allows to link event id 4624 with another event with the same Logon GUID. By doing this, you establish a relationship between 2 events that might seem unrelated, giving you a more comprehensive understanding of any potential threat to your Active Directory environment.
"New Logon" Network Information Fields
7. Network Account Name: only applicable to the “NewCredentials” logon type as discussed earlier. However, if the logon type is different from “NewCredentials”, then the Network Account Name field is registered as a “-” in the Event Viewer.
8. Network Account Domain: only applies to the ‘NewCredentials’ logon type, just like the Network Account Name. If the user were to make a network connection, they would use the domain name specified in this field.
However, if the logon type is not ‘NewCredentials,’ ‘-‘ is recorded by Event Viewer in the Network Account Domain field.”
Event ID 4624 "Process Information" Properties
The Process Information field of the event log provides information about the process that registered the successful logon event.
1. Process ID: a hexadecimal value that Windows (and other Operating Systems) use to uniquely identify a process. Event Viewer displays the process ID in this field, if a process successfully logs into Active Directory and registers event ID 4624.
To view the process ID of all processes currently running on your Windows PC, open PowerShell and run the Get-Process command.
Convert the hexadecimal value of the Process ID in event ID 4624 to decimal. When you do this, you compare the process ID to one of the IDs returned by the Get-Process PowerShell command.
2. Process Name: registeres the successful logon event.
Event ID 4624 "Network Information" Properties
1. Workstation Name: records the computer name from which the user initiated the logon. If the logon originated from the same computer, the event was registered, or if it is a Kerberos logon, the Workstation Name field is empty.
2. Source Network Address: records the computer’s IP address from which a user logged in. If you see “::1” (IPv6) or “127.0.0.1” (IPv4) in this field, that means the user logged in from the same computer where the event log was created. In other words, they logged in locally.
3. Source Port: registers the source TCP port of the remote computer used to log on.
Event ID 4624 "Detailed Authentication Information" Properties
In the last field, we find out how the authentication process took place. It keeps a record of the process that was responsible for the authentication and the package used. Moreover, the “Detailed Authentication Information” field shows other crucial details such as Transited Services, Package Name, and Key Length.
1. Logon Process: captures the name of the trusted logon process the user used to log on when the system registered event ID 4624, indicating “An account was successfully logged on.”
2. Authentication Package: records the type of authentication package used to perform the account logon authentication.
The most commonly used authentication packages are NTLM, Kerberos, and Negotiate, which choose between the Kerberos and NTLM protocols.
3. Transited Services (Kerberos only): lists transmitted services. This field is populated if the logon resulted from an S4U (Service For User) logon process.
4. Package Name (NTLM only): if the NTLM protocol authenticated the logon request (instead of Kerberos), the Package Name field records the version of NTLM. Specifically, it records the LAN Manager version, a sub-family of the NTLM authentication protocol.
Finally, the Package Name field records NTLM V1, NTLM V2, or LM.
5. Key Length: only applies to the NTLM authentication protocol. So, if Kerberos authenticated the logon request that successfully registered the event ID 4624, the Key Length field is “0”.
However, if the authentication was performed by NTLM protocol, the key length is 128 or 56 bits.
Also Read Active Directory Security Best Practices: Protect Your Environment
What is Event ID 4624: An Account was Successfully Logged On Conclusion
In conclusion, this article has covered the various fields related to Event ID 4624, which is used to track successful logons to Windows based systems.
The article described the different properties associated with this event, including Subject, Logon Information, Impersonation Level, New Logon, Process Information, Network Information, and Detailed Authentication Information.
Understanding these properties helps to monitor Active Directory and detect potential security breaches.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- SaaS Reporting & Auditing Solution
- Full Access to All Features
