Windows SecurityAuthenticationEnhanced Analysis

Event 4634: An account was logged off.

Quick Answer

Event 4634 is generated when an account is logged off from a system, recording the end of a user session. While often overlooked, this event is valuable for calculating session durations, detecting anomalous logon patterns when correlated with Event 4624, and identifying potential cleanup activities by attackers attempting to remove their traces.

Technical Details

Windows Security Source

Event ID: 4634

Windows Security- Authentication

Event Description

An account was logged off.

Key Log Fields

  • TargetUserName - Account name that logged off
  • TargetDomainName - Domain of the account
  • TargetLogonId - Logon ID to correlate with 4624
  • LogonType - Type of logon that ended

Event Comparison

Event 4634 logs all session terminations, while Event 4647 specifically tracks user-initiated logoffs. Event 4778 (session reconnected) and Event 4779 (session disconnected) track Remote Desktop session state changes. Correlate all these events for complete session visibility.

What This Event Means

Event 4634 marks the termination of user sessions and provides important context when correlated with Event 4624 (successful logons) to understand session behavior. Security teams can use this event to identify abnormally short sessions (potential failed attack attempts or automated reconnaissance), unusually long sessions (forgotten credentials, persistence mechanisms), or sessions occurring during off-hours. When attackers successfully compromise systems, they may intentionally generate Event 4634 to clear their tracks or may leave sessions open indefinitely if using persistence mechanisms. This event includes the logon ID that matches corresponding Event 4624 entries, enabling precise session tracking. The logon type field indicates whether the session being closed was interactive, network, service, or another type.

Security Implications

  • Abnormally short session durations (seconds) may indicate automated credential testing or failed attack attempts
  • Missing Event 4634 for established sessions may indicate persistence mechanisms or attackers maintaining access
  • Rapid logon/logoff cycles from same account across multiple systems suggests lateral movement reconnaissance
  • Service account logoffs outside maintenance windows may indicate unauthorized access or misuse
  • Attackers using tools like Mimikatz or Cobalt Strike may not properly close sessions, creating logon/logoff pattern anomalies

Detection Strategies

Calculate session durations by correlating Event 4634 with corresponding Event 4624 using the Logon ID field. Alert on sessions shorter than expected thresholds for interactive logons (e.g., <60 seconds) which may indicate failed attacks or scripted reconnaissance. Monitor for Event 4624 entries lacking corresponding Event 4634 closures, suggesting persistent access or forgotten credentials. Track service account logoff events that occur outside scheduled maintenance windows. Detect lateral movement by identifying accounts with many short-duration sessions across multiple systems within compressed timeframes. Monitor privileged account logoffs occurring during unusual hours or from unexpected source systems.

Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.

Real-World Attack Examples

  • Credential validation reconnaissance: Attackers testing stolen credentials generated Event 4624/4634 pairs with 5-second durations across 50 systems, validating access without maintaining sessions

  • Cobalt Strike beacon detection: Missing Event 4634 for service account Event 4624 Type 3 logons indicated persistent beacon maintaining network sessions for C2 communication

  • Ransomware deployment: Event 4634 logged immediately after Event 4624 as attackers quickly authenticated to systems, deployed ransomware binaries, and disconnected

  • Insider threat investigation: Employee created evening sessions with no corresponding logoffs, later found to be using scheduled tasks for persistent unauthorized access

Contents