LIFARS Insights: Logon Type Codes

Logon Type Codes

When monitoring your network, you’ll come across several logon types codes. We know that event Ids 528 and 540 represent successful logon and event ID 538 a logoff. However, there are several logon types and ways user’s can logon to a computer: whether through remote desktop or over a mapped drive. Therefore, it is important to be aware of the different logon type codes that exist. We compiled a list of the nine logon types you can use below.

Logon Type 2: Interactive

When a user logon from the computer, either from a domain or local account from the computer’s local SAM, a logon type 2 occurs. The domain or computer name preceding the username in the event’s description should tell you if it is a domain or local account.

Logon Type 3: Network

When a user accesses a computer over the same network it is logon type 3. Usually, these connections are to shared folders or printers, however, other over the network logon and to the IIS are also classified as logon 3.

Logon Type 4: Batch

When a Windows scheduled task is first created and when it is executed under an user account a logon type 4 occurs. This is an important logon type to keep a look out for, although many logon type 4 events may be innocent, attackers often use scheduled tasks for malicious intent. You may also see multiple logon failures if an attacker tries guessing the password of the user’s account multiple times. Keep in mind, logon failures also occur if the administrator enters the wrong password, or if the password of the account is changed, but the scheduled task was created under the old password.

Logon Type 5: Service

When a service is executed under a specific user account, a logon/logoff type 5 is created. A failed logon event may suggest that the password of the user account was changed without updated the service. For a malicious actor, to access a service and cause the type 5 logon event it would mean that the attacker has mostly likely already executed their malicious intent.

Logon Type 7: Unlock

When a user leaves their computer unattended, a password protected screen saver should automatically pop up. And once the user comes back and logs back in a logon type 7 event is created. You may see failed logon events when the wrong password is entered either by the user or an malicious actor.

Logon Type 8: NetworkCleartext

When a user logs onto the network using password sent in clear text over the network a logon type 8 event is created. This logon can occur from an ASP script using a ADVAPI or if a use logs into IIS using basic authentication mode.

Logon Type 9: NewCredentials

When a user executed the RunAs command under a different user account and specifies the /netonly switch a logon type 9 event is created. Note, if the RunAs command is run without the /netonly switch a logon type 2 event would be created.

Logon Type 10: RemoteInteractive

When a user accesses a computer through Remote Desktop, Remote Assistance, or Terminal Services a logon type 10 is created.

Logon Type 11: CachedInteractive

When mobile users who are not connected to the organization’s network attempt to logon to their laptop using a domain account with no domain controller available to verify their identity, Windows uses its cache of the last 10 interactive domain logins.

Staying aware of your Windows network is crucial, especially to the security of your organization. We hope the list of logon types can help you stay alert.