RDP Event logs tracking 4624 / 4625

Sina Mohebi
3 min readAug 2, 2023

--

Event ID 4624 is generated in the Windows Security Log when a successful logon occurs on a local computer. This event is generated on the computer that was accessed, meaning that it is the computer where the logon session was created. A related event, Event ID 4625, is generated when a logon attempt fails.

The following information is included in Event ID 4624:

  • Subject: The account that requested the logon.
  • Logon Type: The type of logon that occurred.
  • New Logon: The account that was logged on.
  • Workstation Name: The name of the computer that was logged on to.
  • IP Address: The IP address of the computer that was logged on to.

This information can be used to track who logged on to a computer, when they logged on, and from where they logged on. This information can be helpful in troubleshooting security issues and in identifying unauthorized access to computers.

Example

An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type:3
New Logon:
Security ID: WIN-R9H529RIO4Y\\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x19f4c
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4c0
Process Name: C:\\Windows\\System32\\winlogon.exe
Network Information:
Workstation Name: WIN-R9H529RIO4Y
Source Network Address: 10.42.42.211
Source Port: 1181
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Description of Logon Type

Event 4624 & 4625 provides important information, including:

  • Logon Type: This field indicates the type of logon that occurred and how the user logged on. There are nine different types of logons, with the most common being logon type 2 (interactive) and logon type 3 (network). Any logon type other than 5 (which denotes a service startup) should be considered a red flag.

Logon types and descriptions


+------------+-------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Logon Type | Logon Title | Description |
+------------+-------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 0 | System | Used only by the System account, for example at system startup. |
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 6 | Proxy | Proxy logon. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
| 12 | CachedRemoteInteractive | Same as RemoteInteractive. This is used for internal auditing. |
+------------+-------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

According to the table above, the value for RemoteInteractive (Remote Desktop) is “10”. However, there is something that Microsoft did not tell you!

If you try to connect to a computer using mstsc.exe (Remote Desktop) with its IP address, the Logon type field will be equal to 3 (Network). However, if you use the computer's hostname(FQDN), such as "sinamohebi.lib.dc2", we expect to see Logon type 10.

Here is the explanation:

  • When you connect to a computer using its IP address, the Remote Desktop Protocol (RDP) uses the TCP/IP protocol to establish a connection. This is considered a network logon.
  • When you connect to a computer using its hostname, the RDP uses the DNS protocol to resolve the hostname to an IP address. Once the IP address is known, the RDP uses TCP/IP to establish a connection. This is considered a remote interactive logon.

--

--