Event 4624: An account was successfully logged on.
Quick Answer
Event 4624 records every successful user authentication and logon to a Windows system. For security monitoring, focus on the LogonType field to identify suspicious authentication methods, unusual logon times, and potential lateral movement patterns across your network.
Technical Details
Event ID: 4624
Windows Security- Authentication
Event Description
An account was successfully logged on.
Analyst Notes & Scenarios
- Logon Type 2 (Interactive) & 10 (RemoteInteractive) indicate user console/RDP logins.
- Logon Type 3 (Network) often relates to accessing network shares or service auth.
- Logon Type 5 (Service) indicates service startup.
- Logon Type 7 (Unlock) indicates workstation unlock.
- Monitor for unusual Logon Types, high frequency, off-hours activity, or logins from unexpected sources/accounts.
- Correlate Logon GUID with 4634 (Logoff) and 4672 (Privilege Assignment).
Key Log Fields
LogonType- Type of logon (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 10=RemoteInteractive, 11=CachedInteractive)TargetUserName- Account name that was logged onTargetDomainName- Domain or computer name of the accountTargetUserSid- SID of the account that was logged onSubjectUserName- Account name that initiated the logonSubjectDomainName- Domain of the account that initiated the logonWorkstationName- Source workstation name from which logon was attemptedIpAddress- Source IP address of logon attemptIpPort- Source port numberLogonProcessName- Name of the logon process (e.g., User32, Advapi, Kerberos)AuthenticationPackageName- Authentication package used (e.g., NTLM, Kerberos)LogonGuid- Unique GUID for correlating with other logon-related eventsElevatedToken- Whether logon has elevated token (Yes/No)
MITRE ATT&CK® Mapping (8)
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain. Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba. Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.
Event Comparison
Compare with Event 4625 (Failed Logon) to detect brute force attempts. Event 4672 (Special Privileges Assigned) often follows 4624 for administrative accounts.
What This Event Means
Event 4624 is generated whenever a user account successfully authenticates to a Windows system, making it one of the most frequently logged security events in any Windows environment. This event captures critical authentication details including the account name, logon type, source network address, authentication package used, and the process that handled the logon request. Security analysts rely heavily on this event to establish baseline user behavior patterns, detect credential theft attempts, and identify unauthorized access to systems. The LogonType field is particularly valuable as it distinguishes between interactive console logons (Type 2), network resource access (Type 3), batch jobs (Type 4), Windows services (Type 5), and remote desktop sessions (Type 10). Understanding these logon types helps analysts differentiate between legitimate user activity and potential attack scenarios such as Pass-the-Hash attacks, which typically manifest as Type 3 network logons with NTLM authentication from unusual source addresses.
Security Implications
- Credential theft and Pass-the-Hash attacks typically appear as Type 3 network logons with NTLM authentication
- Lateral movement across the network generates multiple 4624 events from the same source to different targets
- After-hours logons or access from unexpected geographic locations may indicate compromised credentials
- Service account logons from workstations (rather than servers) often signal malicious activity
- Golden Ticket attacks create logons with abnormally long Kerberos ticket lifetimes
Detection Strategies
Monitor for logon patterns that deviate from established baselines. Look for multiple failed logons (Event 4625) followed by successful logon, which may indicate brute force attacks. Track logon type changes for the same user account, such as service accounts suddenly performing interactive logons. Alert on logons from privileged accounts outside normal business hours or from unexpected source IP addresses. Correlate 4624 events with process creation (Event 4688) to identify post-exploitation activity. Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in a future update.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
APT29 (Cozy Bear) utilized compromised credentials to generate Type 3 network logons during the SolarWinds supply chain attack, moving laterally through victim networks
Ryuk ransomware operators commonly abuse stolen domain administrator credentials to create Type 10 Remote Desktop logons before deploying encryption payloads
The Hafnium threat group exploited Exchange Server vulnerabilities and used stolen credentials to establish persistent Type 5 service logons