Overview
The LogonEvents command parses Windows Security Event Log entries for Event ID 4624 (successful logon events). This command provides comprehensive information about all successful authentication attempts on the system, including logon type, account details, source IP addresses, and authentication packages used. It is essential for tracking user access, identifying lateral movement, and detecting unauthorized access.Syntax
Arguments
- days (optional) - Number of days to search backwards from the current date. Default is 10 days.
Examples
Output
The command returns:- Event timestamp
- Logon ID
- Account name
- Account domain
- Logon type (Interactive, Network, RemoteInteractive, etc.)
- Authentication package (NTLM, Kerberos, Negotiate)
- Source workstation name
- Source IP address
- Source port
- Logon process
- Process ID
- Elevated token (Yes/No)
- Type 2 - Interactive (local logon)
- Type 3 - Network (SMB, file shares)
- Type 4 - Batch (scheduled tasks)
- Type 5 - Service (Windows services)
- Type 7 - Unlock (workstation unlock)
- Type 8 - NetworkCleartext (IIS basic auth)
- Type 9 - NewCredentials (RunAs)
- Type 10 - RemoteInteractive (RDP, Terminal Services)
- Type 11 - CachedInteractive (offline domain logon)
Use Cases
Red Team
- Map lateral movement paths across the network
- Identify privileged account usage patterns
- Discover service accounts and their activity
- Track administrator logon patterns
- Identify potential targets based on access patterns
- Determine authentication protocols in use
- Find systems with cached credentials
- Identify unusual logon times for targeted attacks
Blue Team
- Detect unauthorized access attempts
- Monitor lateral movement and credential theft
- Identify suspicious logon patterns (time, location, type)
- Audit privileged account usage
- Detect Pass-the-Hash attacks
- Monitor for brute force attacks
- Correlate logon events with other security incidents
- Validate least privilege principles
- Identify credential reuse across systems
- Detect anomalous authentication patterns
- Investigate potential account compromise
- Track service account activity
Example Output
Performance Considerations
This command reads from the Windows Security Event Log, which can be time-intensive depending on:- Size of the Security Event Log
- Number of days specified in the argument
- Event log rotation and retention settings
- System performance and disk I/O
- Volume of logon activity on the system
Remote Execution
This command supports remote execution via WMI. Use the-computername parameter to query logon events on remote systems:
Detection Considerations
Indicators
- Security Event Log access (Event ID 4663, 4656)
- WMI queries to remote event logs
- Large-scale event log enumeration
- Access to HKLM\SYSTEM\CurrentControlSet\Services\EventLog
- Unusual processes reading Security event logs
Defensive Recommendations
- Enable Security Event Log auditing (Event ID 4663)
- Monitor for mass event log queries
- Alert on event log access by non-authorized tools
- Implement SIEM correlation for logon patterns
- Restrict event log access to authorized accounts only
- Monitor for abnormal logon events (after-hours, unusual sources)
- Correlate Event ID 4624 with failed logons (4625) and explicit logons (4648)
- Baseline normal logon behavior per user/system
- Alert on logon types unusual for specific accounts
- Monitor for NTLM authentication when Kerberos should be used
- Track source IP addresses for geographic anomalies
Related Commands
- ExplicitLogonEvents - Explicit Logon events (Event ID 4648)
- LogonSessions - Windows logon sessions
- ProcessCreationEvents - Process creation logs (Event ID 4688)
- PowerShellEvents - PowerShell script block logs (Event ID 4104)
- SysmonEvents - Sysmon process creation logs (Event ID 1)
- LocalUsers - Local users and password last set
- LocalGroups - Non-empty local groups