What is a Type 3 logon?

Logon type 3: Network. A user or computer logged on to this computer from the network. The description of this logon type clearly states that the event logged when somebody accesses a computer from the network. Commonly it appears when connecting to shared resources (shared folders, printers etc.).

Is logon Type 3 RDP?

According to my knowledge and test, the Logon Type value = 3 is expected for Terminal Service and RDP. You will get this logon type 3 when you are using NLA (Network Layer Authentication) as the authentication type since it will try and pre-authenticate you prior to giving you RDP access.

What is a Type 10 logon?

Logon type 10 refers to remote interactive logons. Event ID 528 with logon type 10 means that the user logged on to the computer through RDP by using either Remote Desktop or Windows 2000 Server Terminal Services.

What is the difference between login and special logon?

A special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. There is also some discussion at the Technet answers site about having lots of these: This is a useful right to detecting any "super user" account logons.

What is Advapi logon?

The logon process is marked as "advapi", which means that the logon was a Web-based logon through the IIS web server and the advapi process. If you are not hosting IIS websites, this might mean that the computer is infected.

Episode 45: Logon/Log Off Event Logs

What is logon process Kerberos?

If the logon was to a Windows resource and authenticated via Kerberos, the Logon Process field would list “Kerberos.” Generally, the Logon Process field provides a hint at how the user tried to access the system: at its console, through Server Message Block (SMB) or Common Internet File System (CIFS) for shared-folder ...

What is a type 5 logon?

Virtual Accounts only come up in Service logon types (type 5), when Windows starts a logon session in connection with a service starting up. You can configure services to run as a virtual account which is what Microsoft calls a "managed local account".

What is login type 2?

Logon Type 2: Interactive.

An event with logon type=2 occurs whenever a user logs on (or attempts to log on) a computer locally, e.g. by typing user name and password on Windows logon prompt. Events with logon type = 2 occur when a user logs on with a local or a domain account.

What is a batch logon?

Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

Is RDP interactive logon?

10: Remote Interactive logon—This is used for RDP-based applications like Terminal Services, Remote Desktop or Remote Assistance.

How does NTLM authentication work?

NTLM Authentication Process

The client passes a plain text version of the username to the relevant server. The server replies to the client with a challenge, which is a 16-byte random number. In response, the client sends the challenge encrypted by the hash of the user's password.

What does anonymous logon mean?

An anonymous login is a process that allows a user to login to a website anonymously, often by using "anonymous" as the username. In this case, the login password can be any text, but it is typically a user's email address. Users are able to access general services or public information by using anonymous logins.

What is local logon?

A local logon grants a user permission to access Windows resources on the local computer. A local logon requires that the user has a user account in the Security Accounts Manager (SAM) on the local computer.

What is a login domain?

A domain user is one whose username and password are stored on a domain controller rather than the computer the user is logging into. When you log in as a domain user, the computer asks the domain controller what privileges are assigned to you.

What is a logon server?

If your computer is connected to domain or workgroup then LOGONSERVER means the group or domain to which your computer is connected.

What is security ID system?

It is stored in a security database. The system generates the SID that identifies a particular account or group at the time the account or group is created. When a SID has been used as the unique identifier for a user or group, it can never be used again to identify another user or group.

What is elevated token?

Elevated Token is a Windows Security Log Event-Windows Logon field that is a Yes/No Flag indicating that the session this event represents is using some level of a Privileged Identity.

What is Windows impersonation level?

The varying degrees of impersonation are called impersonation levels, and they indicate how much authority is given to the server when it is impersonating the client. Currently, there are four impersonation levels: anonymous, identify, impersonate, and delegate.

What is NetworkCleartext?

NetworkCleartext (Service) is a Windows Logon Type that implies a User logged on to this computer from the network and user's password was passed to the authentication package in cleartext. The built-in authentication packages all hash credentials before sending them across the network.

What is Kerberos and how it works?

Kerberos uses symmetric key cryptography and a key distribution center (KDC) to authenticate and verify user identities. A KDC involves three aspects: A ticket-granting server (TGS) that connects the user with the service server (SS) A Kerberos database that stores the password and identification of all verified users.

How do I know if I have Kerberos authentication?

Once Kerberos logging is enabled, then, log into stuff and watch the event log. If you're using Kerberos, then you'll see the activity in the event log. If you are passing your credentials and you don't see any Kerberos activity in the event log, then you're using NTLM.

What is the purpose of Kerberos?

Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network, such as the internet. Kerberos support is built in to all major computer operating systems, including Microsoft Windows, Apple macOS, FreeBSD and Linux.

Is AdvApi a malware?

AdvApi is likely a Trojan and as such, presents a serious vulnerability which should be fixed immediately! Delaying further investigation of advapi.exe may cause serious harm to your system and will likely cause a number of problems, loss of data, loss of control or leaking private information.

What is Caller process name?

Caller Process Name: Identifies the program executable that processed the logon. This is one of the trusted logon processes identified by 4611.