In the Windows Event Viewer you will frequently see events 4624 and 4625 in the Security Log but the entry will only give you a number and one word description, which is not great.
In this article we explain what the different Logon Types mean:
What is Logon Type 0 – System?
Logon Type 0 – System means that the computer was started up.
What is Logon Type 2 – Interactive?
Logon Type 2 – Interactive means that a user tried to sign in.
What is Logon Type 3 – Network?
Logon Type 3 – Network means that a something connected to this machine through the network. In other words, a user or another computer connected to this computer remotely, likely through a SMB share or shared printer.
What is Logon Type 4 – Batch?
Logon Type 4 – Batch means that a Scheduled Task connected to this computer. Note that if the Scheduled Task is set to run only when a designated user is logged on, this event will NOT be logged.
What is Logon Type 5 – Service?
Logon Type 5 – Service means that a service started was started by the Service Control Manager and logged in to do whatever it has to do. Note that this event will only be logged if the service is started with a regular user account and it will NOT be logged if the service is running as a “special account” like the Local System or NT AUTHORITY\LocalService .
What is Logon Type 7 – Unlock?
Logon Type 7 – Unlock means that a user tried to sign in. This is different from an initial logon which would be logged as Logon Type 2.
What is Logon Type 8 – NetworkCleartext?
Logon Type 8 – NetworkCleartext means that a user connected to this computer without the credentials being encrypted. In todays world, this would be very unusual to see but it was common 20 years ago. You might see it when someone is setting up an IIS Web Server or during some testing, but moving passwords through any network in clear text is a very risky proposition, because it is so easy to use a “packet sniffer” like WireShark to read it.
Many programs that used to accept clear text passwords have disabled that possibility now:
In September 2021, we announced that effective October 1, 2022, we will begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if it is not being used.
learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online
What is Logon Type 9 – NewCredentials?
Logon Type 9 – NewCredentials means that someone started a program or connection using RUN AS.
What is Logon Type 10 – RemoteInteractive?
Logon Type 10 – RemoteInteractive means that someone has logged in using Remote Desktop (RDS), Terminal Services or Remote Assistance
There are a few more but they are even more rarely used.
Here are a few of the most common connection methods:
Connection Method | Logon Type | Reusable Credentials on Destination | Comments |
Log on at console | Interactive | Credentials ARE Exposed | Includes hardware remote access / lights-out cards and network KVMs. |
RUNAS | Interactive | Credentials ARE Exposed | |
RUNAS /NETWORK | NewCredentials | Credentials ARE Exposed | Clones current LSA session for local access, but uses new credentials when connecting to network resources. |
Remote Desktop (success) | RemoteInteractive | Credentials ARE Exposed | If the remote desktop client is configured to share local devices and resources, those may be compromised as well. |
Remote Desktop (failure – logon type was denied) | RemoteInteractive | Credentials are NOT Exposed | By default, if RDP logon fails credentials are only stored briefly. This may not be the case if the computer is compromised. |
Net use * \\SERVER | Network | Credentials are NOT Exposed | |
Net use * \\SERVER /u:user | Network | Credentials are NOT Exposed | |
MMC snap-ins to remote computer | Network | Credentials are NOT Exposed | Example: Computer Management, Event Viewer, Device Manager, Services |
PowerShell WinRM | Network | Credentials are NOT Exposed | Example: Enter-PSSession server |
PowerShell WinRM with CredSSP | NetworkClearText | Credentials ARE Exposed | New-PSSession server -Authentication Credssp -Credential cred |
PsExec without explicit creds | Network | Credentials are NOT Exposed | Example: PsExec \\server cmd |
PsExec with explicit creds | Network + Interactive | Credentials ARE Exposed | PsExec \\server -u user -p pwd cmd Creates multiple logon sessions. |
Remote Registry | Network | Credentials are NOT Exposed | |
Remote Desktop Gateway | Network | Credentials are NOT Exposed | Authenticating to Remote Desktop Gateway. |
Scheduled task | Batch | Credentials ARE Exposed | Password will also be saved as LSA secret on disk. |
Run tools as a service | Service | Credentials ARE Exposed | Password will also be saved as LSA secret on disk. |
Vulnerability scanners | Network | Credentials are NOT Exposed | Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk. |
0 Comments