Active Directory & Office 365 Reporting Tool

What is Windows Event ID 4624 ? – Successful Logon. Windows Event ID 4624, often called Successful Logon event, is a pivotal component of Windows Security Event Logs that is an integral tool for monitoring and securing computer systems. This event code is system generated. Whenever a user successfully logs into a Windows based system, providing crucial insights into user activities and access privileges. By examining Event ID 4624 and its associated details, cybersecurity professionals understand who has gained access to a system, when it occurred, and from which source. This information is invaluable for promptly identifying and responding to security threats and maintaining the integrity and security of an organization’s digital environment.

Shall we start What is Windows Event ID 4624 ? – Successful Logon.

What is Windows Event ID 4624 ? – Successful Logon

Every successful attempt to log on to a local computer is recorded by Event ID 4624, which we see in Windows Event Viewer. In other words, where the system establishes an event, the system generates the event on the computer access. Event ID 4625 records failed logon attempts in a connected incident.

 The vital information that we derive from Event 4624 includes:

  • Logon Type: This field discloses the user login method, highlighting how the user accessed the system. Among the nine logon types, the most prevalent are logon type 2 (interactive) and type 3 (network), while any logon type other than 5 (indicating a service startup) should raise concerns. Further elaboration on logon types follows later in the article.
  • New Logon: In this segment, we uncover the Account Name associated with each new logon created by the system, along with the corresponding Logon ID, a hexadecimal value that aids in cross-referencing this event with others.

Other Information From Event ID 4624

  • Subject: Discloses the account on the local system (not the user) that initiated the logon request.
  • Impersonation Level: This section indicates how a process within the logon session impersonates a client, influencing the operations a server performs within the client’s context.
  • Process Information: Details regarding the process that made the logon attempt.
  • Network Information: Reveals the location from which the user logged on. In the case of a user-initiated logon from the same computer, this information may be empty or display the local computer’s workstation name and source network address.
  • Authentication Information: Information about the authentication package utilized for the logon process.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Threat Detection and Prevention with Event 4624

Threat detection and prevention are critical in safeguarding computer systems and networks from malicious activities. Event ID 4624, a fundamental Windows Security Event Logs component, is instrumental in this endeavor. It signifies a successful logon event, offering insights into user activities and helping security professionals identify and respond to potential threats in real time. By analysing Event ID 4624 and its associated data, organizations  proactively strengthen their cybersecurity posture, promptly detect and mitigate unauthorized access attempts, and ensure their digital assets’ integrity and confidentiality.

Windows Logon Types

Windows supports several logon types, each serving a specific purpose and authentication method. Here is a list of standard Windows logon types along with their descriptions:

  1. Interactive Logon (Type 2): Used when a user logs in directly at the computer or via a remote desktop. This logon type requires a username and password.
  2. Network Logon (Type 3): Occurs when accessing network resources on another computer. The system sends the credentials to the remote server for authentication.
  3. Batch Logon (Type 4): For scheduled tasks or batch jobs running under a specified user account; not interactive.
  4. Service Logon (Type 5): Used by Windows services, starting automatically or manually with the Service Control Manager.
  5. Unlock Logon (Type 7): Generated when unlocking a previously locked workstation; no new credentials required.
  6. Network Clear Text Logon (Type 8): Rare and insecure; sends credentials in clear text over the network.
  7. New Credentials Logon (Type 9): Occurs when providing different credentials for accessing network resources.
  8. Remote Interactive Logon (Type 10): Used for remote desktop connections.
  9. Cached Interactive Logon (Type 11): Using cached credentials when not connected to the network allows local authentication.
  10. Cached Remote Interactive Logon (Type 12): Similar to cached interactive logon but for remote connections.
  11. Cached Unlock Logon (Type 13): Generated when unlocking a computer with cached credentials offline.
  12. Cached Credential Logon (Type 14): This logon type uses applications or services accessing network resources with cached credentials.
  13. Cached Remote Credential Logon (Type 15): Similar to cached credential logon, but for remote access.
  14. Unlock (Type 21): Occurs when unlocking a previously locked workstation.

These logon types are essential for auditing and security analysis to monitor user activity and potential security breaches.

Suspicious Successful Logons

Now that we have discussed the different types of Windows Logon methods, we  start analysing which Event IDs 4624 are logged in by a malicious perpetrator. Here are some of the below examples:

  • Event ID 4624 with Logon type 10 ( RemoteInteractive logins ) and the source network address is loopback ( 127.*.*.* or ::1 ), mostly RDP tunneling.
  • Event ID 4624 logon type 10 ( RemoteInteractive Logins ) and source network is not in our organization’s Subnet.
  • Event ID 4624, logon type (3 and 10), source workstation names, and destination are end-user machines.
  • Event ID 4624, with logon types (2 and 10) and an account name ending with $, like ItSupport$, is a possible fake machine account.
  • Event ID 4624 with more than one successful logon with logon types 3 and 10 from the same account name and different source network address is considered suspicious.
  • Event ID 4624 and logon types ( 2, 10, and 7 ) and account names like internal service accounts (svc_*), Possible interactive logon from a service account.

In the relentless pursuit of cybersecurity, the vigilance required to monitor and respond to suspicious successful logon events, often indicative of unauthorized or malicious access, remains a crucial and ongoing endeavour.

Get-Event log for Event ID 4624 using PowerShell

Like any other graphical user interface (GUI) in the Windows operating system, we access information through command-line interface (CLI) commands, such as those available in Windows PowerShell. To obtain event logs related to event ID 4624, PowerShell provides us with convenient cmdlets like Get-EventLog and Get-WinEvent. Let’s demonstrate how to retrieve event logs for event ID 4624 using the Get-EventLog command in PowerShell.

					$currentDate = [DateTime]::Now.AddDays(-1) 
Get-EventLog -LogName "Security" -After $currentDate | Where -FilterScript {$_.EventID -eq 4624} 

In the above syntax:

  • Get-EventLog gets event ID 4624 events for the specified date using the $currentDate variable.
  • It uses the LogName parameter to determine the log name of the event, like Security
  • All Event IDs are filtered out equal to 4624 using the FilterScript parameter.

We also get event logs for event ID 4624 using the Get-WinEvent command in PowerShell:

					Get-WinEvent -FilterHashtable @{LogName = 'Security'; ID = 4624} 

In the above Windows PowerShell script,

  • Get-WinEvent gets the event log for event ID 4624.
  • It uses the FilterHashtable parameter and LogName as Security to bring these events

Utilizing PowerShell’s event cmdlet to retrieve Event ID 4624 entries provides a powerful means of monitoring and responding to successful logon events, enabling proactive detection and mitigation of potential security threats in the ever-evolving cybersecurity landscape.

Thank you for reading What is Windows Event ID 4624 ? – Successful Logon. We shall conclude this article.

Thank you for reading What is Windows Event ID 4624 ? – Successful Logon. We conclude this article.

What is Windows Event ID 4624 ? – Successful Logon Conclusion

In conclusion, Windows Event ID 4624 is a fundamental system security and monitoring pillar. It is an indispensable tool for tracking and comprehending user access to Windows-based environments, offering valuable insights into login events by providing information about who gains access, when it occurs, and from where Event ID 4624 empowers cybersecurity professionals to bolster their systems’ security posture and swiftly respond to potential threats. It is an essential component in the arsenal of security measures, ensuring the integrity and confidentiality of digital assets while enabling proactive threat detection and prevention.


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Marion Mendoza

Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

Leave a comment

Your email address will not be published. Required fields are marked *