Share this page!

Jessica Payne Profile picture
Twitter logo
29 Jun 18, 11 tweets, 3 min read
Windows Event ID 4624 displays a numerical value for the type of login that was attempted. These numbers are important from a forensic standpoint but also for understanding credential exposure and mitigating risks. Descriptions in replies.
Logon type 10: this is a typical RDP alert meaning that terminal services was engaged for the logon. 3rd party software like virtualization consoles and screen share can also generate it. Means credentials were in memory (lsass) and also hit cached credentials.
Logon type 2: interactive logon, typically associated with hands on keyboard. Credentials in memory and cached credentials. This event can also be generated using RunAs - which is why some normal admin behavior is risky.
Logon type 4: this says ‘batch’ but it usually means scheduled task. If you run a task with a domain admin credential it both gets into lsass memory and is stored in a portion of the registry accessible to all administrators known as LSAsecrets. Look for the logon to track risk.
Logon type 5: logon as a service. Just like batch these creds hit disk and memory. The LSAsecrets registry portion stores these credentials so services can start. Attackers (or users) with admin can recover them. Grill vendors that ask for services running as wide/domain admin.
Logon type 9: RunAs Netonly. I have written an entire blog post about complications this logon type can add to security threat models and investigations: blogs.technet.microsoft.com/jepayne/2016/0…
Logon type 3: ‘Network logon.’ This is a logon that means credentials don’t get stored in lsass or on disk - which makes it a safer remote admin options. There is still a risk of credential theft if Kerberos delegation is in play for the account or the endpoint in question.
Logon type 8: clear text logon. Means creds were sent over wire in plain text usually for IIS. Other circumstances such some powershell and 3rd party management software on same host can show it too. But it does mean plain text, exposure is on network-IPSec can mitigate.
Logon type 7: workstation unlock. It means what it says and leads to a logon type 2. However it should not be used as a reliable forensic artifact of a butt in a chair or at a RDP console as there are ways it doesn’t happen. Lack of a 7 does not mean there was no unlock.
Logon type 11: Cached Interactive. This is what makes laptops work from home so don’t disable it out of paranoia. Uses cached credentials to logon. Cached creds are stored in mscache2 format which contrary to popular belief can be cracked.Avoid high value account logins to these.
If you are overwhelmed by various Windows logon types and not sure how to track them in your environment, I wrote a tool that can help with that :

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jessica Payne

Jessica Payne Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jepayneMSFT

Jessica Payne Profile picture
9 Apr 19
Popular attacker trick in corporate networks: change the WDigest UseLogonCredential registry key to 1.
Helpful if you want to transmute RDP brute forced local admin credential into domain credentials without risking a Mimikatz detection.
Why?
WDigest=plaintext creds in memory.
WDigest credentials being available in memory means attackers can use alternate sophisticated tools like taskmanager to get credentials versus bringing cred theft tools that AV might detect. WDigest is disables by default but can be enabled as admin without reboot (just lock.)
Monitoring changes to the WDigest registry key can give you a hint that someone might be interested in weakening your security posture or an attack might be starting.
Read 4 tweets
Jessica Payne Profile picture
8 Mar 19
Attackers don’t make assumptions that security policies are followed - they test them. There’s probably at least one person in your org that thinks Winter2019! is a strong password, and your service account passwords may not be as strong as you assume them to be.
Have a safe, legal, and documented way to verify your user accounts are following password best practices, Password Sprays are a common entry vector because human generated passwords that match ‘complexity’ tend to overlap. microsoft.com/en-us/microsof…
Service account passwords are excellent targets because of Kerberoasting and the availability of credentials via account sharing of use as services - and while these may be assumed to be strong passwords often times they are old and haven’t been rotated.
Read 6 tweets
Jessica Payne Profile picture
11 Feb 19
Some things attackers like:

-Domain Admin accounts that do logon type 4 or 5 to workstations
-Accounts with weak Kerberos configs like DES encryption or no preauth
-GPO settings that allow unexpected admin actions like loading drivers

Why not check for these before they do?
Highly privileged accounts doing logon type 4 or 5 to workstations are useful to attackers because they leave credentials in memory and on disk - so an attacker can transmute one local administrator account into a domain wide compromise.
Weak Kerberos configurations in accounts are useful to attackers because they can be utilized to get offline password hashes to crack, or to modify Kerberos requests. Especially dangerous when combined with a weak/short password or no password required setting.
Read 8 tweets
Jessica Payne Profile picture
26 Jun 18
Cases I have investigated recently have included:

-new ‘elite’ malware that most well configured/behavioral AV would have caught
-‘junk’ malware used for initial entry
-unpatched servers on the internet

Attackers don’t often encounter networks that require advanced techniques.
Every week we encounter at least one case of malware taking advantage of matching local admin passwords. You can fix that for free with aka.ms/laps
Every week we encounter at least one case of a domain admin level account being available on a web facing/easily compromised server because of doubt about where the account is used and what it might break to remove it. You can figure that out with aka.ms/weffles
Read 7 tweets
Jessica Payne Profile picture
11 Dec 17
Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI: aka.ms/WEFFLES
This is a blog post about how to build the lightweight IR console I personally used during my time as a consultant, which a lot of companies still have in place and use. I'm posting it in the hopes of 'commoditizing' security efforts and making things easier for defenders.
Since people asked: I want you ALL to 'steal' this work. Please. Use it, modify it, build on it, help your pentest customers with it, put it in place everywhere you go.
Help people solve the basics so we can level the playing field and get to solving more advanced problems.
Read 4 tweets
Jessica Payne Profile picture
30 Aug 17
Reacting to a new technique with 'well of course it works, they had admin' may indicate you don't fully appreciate the attacker mindset.
The attacker goal is not just to run code, but often to keep it running without you noticing for as long as possible-'borrowed' trust helps.
If you are using a trusted tool or a troubleshooting tool to execute your code, you can inherit the 'reputation' of that process.
Read 21 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @jepayneMSFT has new unrolls!

Check out other threads from @jepayneMSFT!

Read all threads by @jepayneMSFT