Authentication Event Analysis

Authentication events form the foundation of Windows security monitoring. Understanding how to analyze logon events reveals unauthorized access, credential abuse, and lateral movement.

Logon Types

Event ID 4624 includes a Logon Type field distinguishing how authentication occurred:

Type 2 (Interactive) - Console logon at the physical machine or virtual console.

Type 3 (Network) - Network logon, such as accessing file shares or web applications. Most common type in enterprise environments.

Type 4 (Batch) - Scheduled task execution.

Type 5 (Service) - Service starting under a service account.

Type 7 (Unlock) - Workstation unlock.

Type 10 (RemoteInteractive) - Remote Desktop (RDP) sessions.

Type 11 (CachedInteractive) - Logon using cached credentials while domain controller is unreachable.

Different logon types suggest different investigation approaches. Type 10 from unexpected sources might indicate compromised RDP. Type 3 across many systems might indicate lateral movement.

Failed Logon Analysis

Event 4625 includes SubStatus codes explaining why authentication failed:

0xC0000064 - User name does not exist
0xC000006A - Incorrect password
0xC0000234 - Account locked out
0xC0000072 - Account disabled
0xC000006F - Account restriction (time or workstation)

Patterns reveal attack types. Many failures with incorrect passwords against one account suggest brute force. Failures across many accounts with the same password suggest password spraying. Failures for non-existent users suggest enumeration.

Detection Opportunities

Impossible travel - Same account authenticating from geographically distant locations within impossible timeframes.

Multiple authentication failures followed by success - Potential successful password guess after brute force.

Service account interactive logons - Service accounts should not log on interactively.

Logons outside business hours - Legitimate users follow patterns; attackers often operate outside normal hours.

Authentication from unexpected sources - Users typically authenticate from their assigned workstations; deviation suggests compromise or policy violation.

Build baselines of normal authentication patterns. Deviation from baselines warrants investigation.