This note documents detection patterns related to Logins within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | Critical | Core event for successful authentication. |
| Security | 4625 | Failed logon | Critical | Password guessing, invalid credentials, blocked access. |
| Security | 4634 | Logoff | High | Session closure timing. |
| Security | 4647 | User initiated logoff | Medium | Explicit user logoff. |
| Security | 4648 | Logon using explicit credentials | Critical | Strong lateral movement clue. |
| Security | 4672 | Special privileges assigned | Critical | Elevated session indicator. |
| Security | 4776 | NTLM authentication | High | Local/DC credential validation. |
| Security | 4768 | Kerberos TGT requested | Critical | Domain login start. |
| Security | 4769 | Kerberos service ticket requested | Critical | Service access after authentication. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Unusual logon type | Type 3 / 10 / 9 at odd time | Critical | Remote access clue. |
| New source host | First-seen workstation/server | Critical | Strong anomaly. |
| Burst of failures then success | Brute force / password spray | Critical | Strong compromise pattern. |
| Explicit creds before admin action | 4648 before lateral movement | Critical | Operator behavior. |
| Privileged login on workstation | Admin token on non-admin host | Critical | High-value clue. |
| Service account interactive login | Rare behavior | High | Possible abuse. |
Common Tools
| Tool | Usage |
|---|---|
| RDP | Interactive remote login |
| runas.exe | Explicit credentials |
| PsExec | Remote logon chain |
| PowerShell remoting | Remote auth |
| SMB | Network logon |
| WinRM | Remote admin |
Relevant Artifacts
- Security Event IDs 4624, 4625, 4634, 4647, 4648, 4672, 4776, 4768, 4769
- Logon types:
- 2 Interactive
- 3 Network
- 4 Batch
- 5 Service
- 7 Unlock
- 8 NetworkCleartext
- 9 NewCredentials
- 10 RemoteInteractive
- Source IP / workstation name
- LUID correlation
- EDR session telemetry
MITRE ATT&CK References
- T1078 Valid Accounts
- T1021 Remote Services
- T1550 Use Alternate Authentication Material
Decision Tree
-
Success or failure?
- 4624
- 4625
-
Logon type?
- Interactive
- Network
- RDP
- NewCredentials
-
Source expected?
- Known host
- New host
- External pivot
-
Elevated?
- 4672 present
- Admin account
-
Follow-up activity?
- Process creation
- Enumeration
- Lateral movement
-
Scope:
- Single login
- Spray
- Multi-host spread
Example Detection Templates
KQL
SecurityEvent
| where EventID in (4624,4625,4648,4672)
| project TimeGenerated, Computer, Account, IpAddress, LogonType, EventID
SecurityEvent
| where EventID == 4625
| summarize count() by IpAddress, Account
| where count_ > 5
EQL
authentication where event.code in ("4624","4625","4648")
sequence by source.ip with maxspan=10m
[ authentication where event.code == "4625" ]
[ authentication where event.code == "4624" ]
Sigma
title: Suspicious Login Detection
id: 8c4f1a23-logins
status: experimental
description: Detects suspicious authentication activity
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4624
- 4625
- 4648
- 4672
condition: selection
fields:
- EventID
- Account
- IpAddress
- LogonType
falsepositives:
- Legitimate administration
level: medium
tags:
- attack.initial_access
- attack.lateral_movement
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Alert on unusual logon type | Prioritize 3 / 9 / 10 | Critical | Strong signal |
| Correlate failures and success | Detect sprays | Critical | High-value pattern |
| Baseline source hosts | Detect new origins | High | Strong anomaly |
| Protect privileged accounts | Monitor 4672 closely | Critical | High-risk sessions |
| Retain full auth chain | Preserve LUID context | High | Essential for timeline |