Event ID 4624: Paired Sessions, Integrity Levels, and UAC

The 4624 event in the Security log records successful user logons to Windows systems. This event is critical for monitoring who accessed the system and when. While legitimate logons are common, it can also indicate account compromise, making thorough analysis essential for SOC teams.

LogoWindows Security Log Event ID 4624 - An account was successfully logged on

Event ID 4624 Details

Field

Description

Sessions (TargetLogonId, TargetLinkedLogonId)

Session ID created post-logon. Processes inherit this session. Paired Session with Elevated token regisered for accounts with local administrator rights.

Restricted Admin Mode

Indicates whether credentials were cached. Helps trace attacker access after creds dump.

Impersonation Level

Defines how a process acts on behalf of a user.

SID, RID, and Well-Known SIDs

Expand for Details

SID (Security Identifier) is a unique identifier used in Windows to represent users, groups, and other security principals. It includes a Relative Identifier (RID) that uniquely identifies objects within a domain or local machine.

SID Structure

A SID follows this format:

S-R-X-Y1-Y2-...-Yn

Where:

  • S: Prefix indicating a SID.

  • R: Version (usually 1).

  • X: Identifier authority (e.g., 5 for NT Authority).

  • Y1-Yn: Sub-authority values (domain identifiers).

  • Yn: RID (uniquely identifies the object).

Example SID

S-1-5-21-1463437245-1224812800-863842198-500

  • S-1-5: NT Authority.

  • 21-1463437245-1224812800-863842198: Domain identifier.

  • 500: RID for the built-in Administrator account.

Well-Known SIDs

SID
Description

S-1-0-0

Null SID

S-1-1-0

Everyone

S-1-5-18

Local System

S-1-5-19

Local Service

S-1-5-20

Network Service

Common RIDs

RID
Description

500

Administrator

501

Guest

512

Domain Admins

1000+

Standard users

Key Insights

Relay/Coerce Attack Indicator: Mismatch between WorkstationName and IP Address may signal authentication relay attacks.

Interactive/RDP Logon: If IpPort = 0, the logon is likely interactive or via RDP.

Logon Types Explained

Logon types in Event 4624 define how authentication occurred

Logon Type

Name

Description

0

System

System-initiated (e.g., OS boot).

2

Interactive

Local logon (keyboard/screen). Includes VMware console access.

3

Network

Access to network resources (SMB, RPC).

4

Batch

Logon for scheduled tasks.

5

Service

Logon by a service.

6

Proxy

Logon via a proxy.

7

Unlock

Unlocking a workstation.

8

NetworkCleartext

Logon with cleartext credentials (e.g., Basic Authentication in IIS).

9

NewCredentials

Logon with new credentials (e.g., RunAs).

10

RemoteInteractive

RDP session.

11

CachedInteractive

Logon using cached domain credentials.

12

CachedRemoteInteractive

Remote logon using cached credentials.

13

CachedUnlock

Unlocking a workstation using cached credentials.

Cached Credentials: Windows caches the last 10 domain user credentials (by default) to allow logons when domain controllers are unavailable. This is stored in the registry and can be adjusted via Group Policy:

  • Policy Path: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options.

  • Policy Name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)".

  • Values: 0 (disable caching) to 50.

Protected Users Group: For domains with a functional level of Windows Server 2012 R2 or higher, adding accounts to the Protected Users group prevents credential caching.

Threat Detection with 4624/4625

  • Account Compromise:

    • Successful logons after brute-force (4625) or password spraying.

  • Critical System Access:

    • Alert on logons to domain controllers, databases, or unusual times/IPs.

  • Incident Investigation:

    • Trace who accessed the system, when, and with what privileges.

Correlated Events

  1. Event 4625 (Failed Logon): Precedes brute-force attacks.

  2. Event 4672 (Special Privileges): Logs privileged account activity.

Mandatory Label

The access token generated during logon includes an Integrity Level (e.g., High, Medium) that governs process/object permissions. In Event 4624, this is reflected in Impersonation Level.

Integrity Level
Description

System

OS-critical processes.

High

Admin privileges.

Medium

Standard user.

Low

Restricted (e.g., browsers).

User Account Control (UAC)

When a user with administrative privileges logs in, User Account Control (UAC) creates two access tokens:

  1. Standard Token (Medium Integrity):

    • Used for most processes.

    • Logged as the first session in Event 4624.

    • Impersonation Level: %%1843 (Non-elevated).

  2. Elevated Token (High Integrity):

    • Used for tasks requiring admin rights.

    • Logged as the second session in Event 4624.

    • Impersonation Level: %%1842 (Elevated).

These sessions are linked via the TargetLinkedLogonId field.

How UAC Works:

  • Default Behavior: Even admin accounts run with Medium Integrity until elevation is requested.

  • Elevation Prompt: When a process requires admin rights, UAC prompts the user for consent.

  • AutoElevate: Some trusted processes (e.g., fodhelper.exe, mmc.exe) can auto-elevate without a prompt if their manifest includes autoElevate="true".

UAC Bypass

Attackers exploit trusted processes (e.g., fodhelper.exe, mmc.exe) with autoElevate=true in their manifests to execute code as admin.

Detection Tips:

  • Compare parent/child process Integrity Levels.

  • Auto-elevated processes shouldn’t spawn child processes.

PreviousTOP 10 Events to MonitorNextPowerShell Logging

Last updated

Was this helpful?