EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4624Audit SuccessSecurityT1550.002

Windows Event ID 4624Successful Logon

Logged every time an account successfully authenticates to a Windows system. One of the highest-volume events in the Security log — a DC in a large domain can generate millions per day. The security value is not in individual events but in patterns: the logon type, authentication protocol, source, and account together reveal lateral movement, pass-the-hash, RDP access, and service account abuse.

MITRE ATT&CK

Technique

T1550.002 · Pass the Hash

Tactic

Lateral Movement

View on attack.mitre.org →

Why It Matters

4624 is the primary data source for detecting lateral movement. Type 3 (network) logons using NTLM on domain controllers are a pass-the-hash signal — Kerberos is the expected domain protocol; NTLM is a downgrade that indicates a hash, not a password, was used. Multiple Type 3 logons from a single source IP across different hosts in quick succession is the textbook lateral movement pattern. Type 10 (RDP) from external or unusual IPs indicates unauthorized remote access. A 4624 immediately following a spike of 4625 failures means a credential attack succeeded.

Key Fields

Logon TypeThe authentication method — each type has a distinct security profile. 2 = Interactive (local console), 3 = Network (file shares, WMI, named pipes — most attack traffic), 4 = Batch (scheduled tasks), 5 = Service (service account startup), 7 = Unlock (screen unlock — short sessions are normal), 10 = RemoteInteractive (RDP/Terminal Services), 11 = CachedInteractive (offline cached credentials)
Account NameThe account that authenticated — 'ANONYMOUS LOGON' indicates a null session and warrants immediate investigation
Source Network AddressThe originating IP — blank for local Type 2; populated for Type 3 and Type 10 network logons. Primary field for lateral movement detection
Workstation NameSource hostname — cross-reference with Source Network Address; a mismatch may indicate a compromised host acting as a pivot
Authentication PackageNTLM vs Kerberos — NTLM on a domain system is a protocol downgrade; NTLM to a DC for a domain account is a strong pass-the-hash indicator
Logon IDUnique session identifier — use to correlate with 4634 (logoff), 4672 (privileges assigned), and 4688 (processes launched) for full session context
Elevated TokenYes = UAC-elevated admin session; correlate with 4672 to confirm full privilege assignment

Investigation Tips

  1. 1.Pass-the-hash signal: Type 3 logon with Authentication Package = NTLM to a domain controller. Legitimate domain authentication uses Kerberos; NTLM for a domain account to a DC means a hash, not a password, was used. Filter: EventID=4624, LogonType=3, AuthPackage=NTLM, TargetDomainName not 'NT AUTHORITY'.
  2. 2.Lateral movement pattern: single Source Network Address generating Type 3 logons across multiple different hosts within minutes. One source, many destinations in rapid succession = attacker moving through the environment.
  3. 3.RDP (Type 10) from external IPs, VPN ranges not in your admin workstation baseline, or any IP that also appears in 4625 failures = unauthorized or post-brute-force remote access.
  4. 4.Credential attack success: 4625 spike from a source IP followed by a 4624 from the same source = attacker succeeded. The time between last failure and first success is the detection window — measure it to understand your coverage gap.
  5. 5.Service logon baseline (Type 5): enumerate which service accounts log on to which hosts. New service accounts appearing in Type 5 logons, or existing accounts on new hosts, are persistence indicators — correlate with 4697 and 7045.
  6. 6.ANONYMOUS LOGON in Account Name: null session — unauthenticated connection attempting to enumerate shares, accounts, or registry. Block via Group Policy: 'Network access: do not allow anonymous enumeration of SAM accounts and shares'.
  7. 7.Correlate Logon ID with 4688 to reconstruct what the session executed — especially useful for Type 3 logons that appear briefly (attacker runs a command and disconnects).

Related Event IDs

4625Failed logon — many failures before a 4624 from the same source = credential attack success
4634Account logoff — pair with 4624 on Logon ID to compute session duration
4672Special privileges assigned — fires alongside 4624 for any privileged account
4648Logon with explicit credentials — RunAs or network connection using a different account
4776NTLM credential validation — DC-side view of the same NTLM logon event

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4624

See Event ID 4624 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects successful logon patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →