Logs, Fun and Logs

Logon Event vs Account Logon Event

As forensic analyst, we’re looking for different kind of information on a Windows system. Among the most popular ones, there are the event id related to connections on a computer. It allows to determine the time period between a user logon and a user logoff and thus looking for malicious activity around this dates and times. Of course, you must have identified a compromised user account before to start this kind of analysis.

Logon Event

Each time a user open or close a Windows session, it creates an entry on the local Security.evtx Windows log. That’s what we call Logon Event.

Where
What
Important

Each event ids listed above comes with a property called “Logon Type”. There are several between 2 and 10:


Account Logon Event

Each time a user open or close a Windows session using a third party for the authentication, it creates an entry in the Security.evtx Windows log on the Domain Controller responsible for the authentication. That’s what we call Account Logon Event.

Where
What
Important

Sometimes, you’ll observe Account Logon event id stored locally in the Security.evtx on your computer (not on the DC). It indicates the user account used to connect on your machine was a local user account (not a domain user). It tried to authenticate locally through the SAM registry and so, did not use a third party for the authentication process.


Reference