{"id":63,"date":"2023-05-21T16:20:58","date_gmt":"2023-05-21T16:20:58","guid":{"rendered":"https:\/\/blog.sinamohebi.com\/?p=63"},"modified":"2023-06-06T14:20:42","modified_gmt":"2023-06-06T14:20:42","slug":"rdp-event-logs-tracking-4624-4625","status":"publish","type":"post","link":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/","title":{"rendered":"RDP Event logs tracking   4624 \/ 4625"},"content":{"rendered":"\n<p><strong>Event ID 4624<\/strong>&nbsp;is generated in the Windows Security Log when a successful logon occurs on a local computer. This event is generated on the computer that was accessed, meaning that it is the computer where the logon session was created. A related event,&nbsp;<strong>Event ID 4625<\/strong>, is generated when a logon attempt fails.<\/p>\n\n\n\n<p>The following information is included in Event ID 4624:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Subject:<\/strong>&nbsp;The account that requested the logon.<\/li>\n\n\n\n<li><strong>Logon Type:<\/strong>&nbsp;The type of logon that occurred.<\/li>\n\n\n\n<li><strong>New Logon:<\/strong>&nbsp;The account that was logged on.<\/li>\n\n\n\n<li><strong>Workstation Name:<\/strong>&nbsp;The name of the computer that was logged on to.<\/li>\n\n\n\n<li><strong>IP Address:<\/strong>&nbsp;The IP address of the computer that was logged on to.<\/li>\n<\/ul>\n\n\n\n<p>This information can be used to track who logged on to a computer, when they logged on, and from where they logged on. This information can be helpful in troubleshooting security issues and in identifying unauthorized access to computers.<\/p>\n\n\n\n<p class=\"has-large-font-size\">Example<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>An account was successfully logged on.\n\nSubject:\n   Security ID:  SYSTEM\n   Account Name:  WIN-R9H529RIO4Y$\n   Account Domain:  WORKGROUP\n   Logon ID:  0x3e7\nLogon Type:3\nNew Logon:\n      Security ID:  WIN-R9H529RIO4Y\\\\Administrator\n   Account Name:  Administrator\n   Account Domain:  WIN-R9H529RIO4Y\n   Logon ID:  0x19f4c\n   Logon GUID:  {00000000-0000-0000-0000-000000000000}\nProcess Information:\n   Process ID:  0x4c0\n   Process Name:  C:\\\\Windows\\\\System32\\\\winlogon.exe\nNetwork Information:\n     Workstation Name: WIN-R9H529RIO4Y\n   Source Network Address: 10.42.42.211\n   Source Port:  1181\nDetailed Authentication Information:\n     Logon Process:  User32 \n   Authentication Package: Negotiate\n   Transited Services: -\n   Package Name (NTLM only): -\n   Key Length:  0\n<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading has-large-font-size\"><br><strong>Description of<\/strong>&nbsp;<strong>Logon Type<\/strong><\/h1>\n\n\n\n<p>Event 4624 &amp; 4625 provides important information, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Logon Type:<\/strong>&nbsp;This field indicates the type of logon that occurred and how the user logged on. There are nine different types of logons, with the most common being logon type 2 (interactive) and logon type 3 (network). Any logon type other than 5 (which denotes a service startup) should be considered a red flag.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Logon types and descriptions<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Logon Type<\/th><th>Logon Title<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>0<\/td><td>System<\/td><td>Used only by the System account, for example at system startup.<\/td><\/tr><tr><td>2<\/td><td>Interactive<\/td><td>A user logged on to this computer.<\/td><\/tr><tr><td>3<\/td><td>Network<\/td><td>A user or computer logged on to this computer from the network.<\/td><\/tr><tr><td>4<\/td><td>Batch<\/td><td>Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.<\/td><\/tr><tr><td>5<\/td><td>Service<\/td><td>A service was started by the Service Control Manager.<\/td><\/tr><tr><td>7<\/td><td>Unlock<\/td><td>This workstation was unlocked.<\/td><\/tr><tr><td>8<\/td><td>NetworkCleartext<\/td><td>A user logged on to this computer from the network. The user&#8217;s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).<\/td><\/tr><tr><td>9<\/td><td>NewCredentials<\/td><td>A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.<\/td><\/tr><tr><td>10<\/td><td>RemoteInteractive<\/td><td>A user logged on to this computer remotely using Terminal Services or Remote Desktop.<\/td><\/tr><tr><td>11<\/td><td>CachedInteractive<\/td><td>A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.<\/td><\/tr><tr><td>12<\/td><td>CachedRemoteInteractive<\/td><td>Same as RemoteInteractive. This is used for internal auditing.<\/td><\/tr><tr><td>13<\/td><td>CachedUnlock<\/td><td>Workstation logon.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>According to the table above, the value for RemoteInteractive (Remote Desktop) is &#8220;10&#8221;. However, there is something that Microsoft did not tell you!<\/p>\n\n\n\n<p><code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><kbd><strong>If you try to connect to a computer using mstsc.exe (Remote Desktop) with its IP address, the Logon type field will be equal to 3 (Network). However, if you use the computer's hostname(FQDN), such as \"sinamohebi.lib.dc2\", we expect to see Logon type 10.<\/strong><\/kbd><\/mark><\/code><\/p>\n\n\n\n<p>Here is the explanation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>When you connect to a computer using its IP address, the Remote Desktop Protocol (RDP) uses the TCP\/IP protocol to establish a connection. This is considered a network logon.<\/li>\n\n\n\n<li>When you connect to a computer using its hostname, the RDP uses the DNS protocol to resolve the hostname to an IP address. Once the IP address is known, the RDP uses TCP\/IP to establish a connection. This is considered a remote interactive logon.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Event ID 4624&nbsp;is generated in the Windows Security Log when a successful logon occurs on a local computer. This event is generated on the computer that was accessed, meaning that it is the computer where the logon session was created. A related event,&nbsp;Event ID 4625, is generated when a logon attempt fails. The following information&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[8,9,11,10,6,7],"class_list":["post-63","post","type-post","status-publish","format-standard","hentry","category-soc","tag-8","tag-9","tag-logon-type","tag-rdp","tag-soc","tag-windows-event-log"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>RDP Event logs tracking  4624 \/ 4625 - Sina Mohebi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"RDP Event logs tracking  4624 \/ 4625 - Sina Mohebi\" \/>\n<meta property=\"og:description\" content=\"Event ID 4624&nbsp;is generated in the Windows Security Log when a successful logon occurs on a local computer. This event is generated on the computer that was accessed, meaning that it is the computer where the logon session was created. A related event,&nbsp;Event ID 4625, is generated when a logon attempt fails. The following information...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/\" \/>\n<meta property=\"og:site_name\" content=\"Sina Mohebi\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-21T16:20:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-06-06T14:20:42+00:00\" \/>\n<meta name=\"author\" content=\"Sina\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sina\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/\"},\"author\":{\"name\":\"Sina\",\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd\"},\"headline\":\"RDP Event logs tracking 4624 \/ 4625\",\"datePublished\":\"2023-05-21T16:20:58+00:00\",\"dateModified\":\"2023-06-06T14:20:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/\"},\"wordCount\":541,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd\"},\"keywords\":[\"4624\",\"4625\",\"Logon type\",\"rdp\",\"SOC\",\"Windows Event log\"],\"articleSection\":[\"SOC\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/\",\"url\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/\",\"name\":\"RDP Event logs tracking 4624 \/ 4625 - Sina Mohebi\",\"isPartOf\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/#website\"},\"datePublished\":\"2023-05-21T16:20:58+00:00\",\"dateModified\":\"2023-06-06T14:20:42+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.sinamohebi.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"RDP Event logs tracking 4624 \/ 4625\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.sinamohebi.com\/#website\",\"url\":\"https:\/\/blog.sinamohebi.com\/\",\"name\":\"Sina Mohebi's Blog\",\"description\":\"Home for Security analysts\",\"publisher\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.sinamohebi.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd\",\"name\":\"Sina\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/blog-logo.png\",\"contentUrl\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/blog-logo.png\",\"width\":1196,\"height\":842,\"caption\":\"Sina\"},\"logo\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/image\/\"},\"sameAs\":[\"https:\/\/blog.sinamohebi.com\",\"https:\/\/www.linkedin.com\/in\/sinamohebi\/\"],\"url\":\"https:\/\/blog.sinamohebi.com\/index.php\/author\/sina\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"RDP Event logs tracking  4624 \/ 4625 - Sina Mohebi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/","og_locale":"en_US","og_type":"article","og_title":"RDP Event logs tracking  4624 \/ 4625 - Sina Mohebi","og_description":"Event ID 4624&nbsp;is generated in the Windows Security Log when a successful logon occurs on a local computer. This event is generated on the computer that was accessed, meaning that it is the computer where the logon session was created. A related event,&nbsp;Event ID 4625, is generated when a logon attempt fails. The following information...","og_url":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/","og_site_name":"Sina Mohebi","article_published_time":"2023-05-21T16:20:58+00:00","article_modified_time":"2023-06-06T14:20:42+00:00","author":"Sina","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Sina","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/#article","isPartOf":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/"},"author":{"name":"Sina","@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd"},"headline":"RDP Event logs tracking 4624 \/ 4625","datePublished":"2023-05-21T16:20:58+00:00","dateModified":"2023-06-06T14:20:42+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/"},"wordCount":541,"commentCount":2,"publisher":{"@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd"},"keywords":["4624","4625","Logon type","rdp","SOC","Windows Event log"],"articleSection":["SOC"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/","url":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/","name":"RDP Event logs tracking 4624 \/ 4625 - Sina Mohebi","isPartOf":{"@id":"https:\/\/blog.sinamohebi.com\/#website"},"datePublished":"2023-05-21T16:20:58+00:00","dateModified":"2023-06-06T14:20:42+00:00","breadcrumb":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/21\/rdp-event-logs-tracking-4624-4625\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.sinamohebi.com\/"},{"@type":"ListItem","position":2,"name":"RDP Event logs tracking 4624 \/ 4625"}]},{"@type":"WebSite","@id":"https:\/\/blog.sinamohebi.com\/#website","url":"https:\/\/blog.sinamohebi.com\/","name":"Sina Mohebi's Blog","description":"Home for Security analysts","publisher":{"@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.sinamohebi.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd","name":"Sina","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/image\/","url":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/blog-logo.png","contentUrl":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/blog-logo.png","width":1196,"height":842,"caption":"Sina"},"logo":{"@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/image\/"},"sameAs":["https:\/\/blog.sinamohebi.com","https:\/\/www.linkedin.com\/in\/sinamohebi\/"],"url":"https:\/\/blog.sinamohebi.com\/index.php\/author\/sina\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/posts\/63","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/comments?post=63"}],"version-history":[{"count":13,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/posts\/63\/revisions"}],"predecessor-version":[{"id":150,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/posts\/63\/revisions\/150"}],"wp:attachment":[{"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/media?parent=63"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/categories?post=63"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/tags?post=63"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}