EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4624Audit SuccessSecurityT1550.002

Windows Event ID 4624Successful Logon

Logged every time an account successfully authenticates to a Windows system. One of the highest-volume events in the Security log — a DC in a large domain can generate millions per day. The security value is not in individual events but in patterns: the logon type, authentication protocol, source, and account together reveal lateral movement, pass-the-hash, RDP access, and service account abuse.

MITRE ATT&CK

Technique

T1550.002 · Pass the Hash

Tactic

Lateral Movement

View on attack.mitre.org →

Why It Matters

4624 is the primary data source for detecting lateral movement. Type 3 (network) logons using NTLM on domain controllers are a pass-the-hash signal — Kerberos is the expected domain protocol; NTLM is a downgrade that indicates a hash, not a password, was used. Multiple Type 3 logons from a single source IP across different hosts in quick succession is the textbook lateral movement pattern. Type 10 (RDP) from external or unusual IPs indicates unauthorized remote access. A 4624 immediately following a spike of 4625 failures means a credential attack succeeded.

Key Fields

Logon TypeThe authentication method — each type has a distinct security profile. 2 = Interactive (local console), 3 = Network (file shares, WMI, named pipes — most attack traffic), 4 = Batch (scheduled tasks), 5 = Service (service account startup), 7 = Unlock (screen unlock — short sessions are normal), 10 = RemoteInteractive (RDP/Terminal Services), 11 = CachedInteractive (offline cached credentials)
Account NameThe account that authenticated — 'ANONYMOUS LOGON' indicates a null session and warrants immediate investigation
Source Network AddressThe originating IP — blank for local Type 2; populated for Type 3 and Type 10 network logons. Primary field for lateral movement detection
Workstation NameSource hostname — cross-reference with Source Network Address; a mismatch may indicate a compromised host acting as a pivot
Authentication PackageNTLM vs Kerberos — NTLM on a domain system is a protocol downgrade; NTLM to a DC for a domain account is a strong pass-the-hash indicator
Logon IDUnique session identifier — use to correlate with 4634 (logoff), 4672 (privileges assigned), and 4688 (processes launched) for full session context
Elevated TokenYes = UAC-elevated admin session; correlate with 4672 to confirm full privilege assignment

Investigation Tips

  1. 1.Pass-the-hash signal: Type 3 logon with Authentication Package = NTLM to a domain controller. Legitimate domain authentication uses Kerberos; NTLM for a domain account to a DC means a hash, not a password, was used. Filter: EventID=4624, LogonType=3, AuthPackage=NTLM, TargetDomainName not 'NT AUTHORITY'.
  2. 2.Lateral movement pattern: single Source Network Address generating Type 3 logons across multiple different hosts within minutes. One source, many destinations in rapid succession = attacker moving through the environment.
  3. 3.RDP (Type 10) from external IPs, VPN ranges not in your admin workstation baseline, or any IP that also appears in 4625 failures = unauthorized or post-brute-force remote access.
  4. 4.Credential attack success: 4625 spike from a source IP followed by a 4624 from the same source = attacker succeeded. The time between last failure and first success is the detection window — measure it to understand your coverage gap.
  5. 5.Service logon baseline (Type 5): enumerate which service accounts log on to which hosts. New service accounts appearing in Type 5 logons, or existing accounts on new hosts, are persistence indicators — correlate with 4697 and 7045.
  6. 6.ANONYMOUS LOGON in Account Name: null session — unauthenticated connection attempting to enumerate shares, accounts, or registry. Block via Group Policy: 'Network access: do not allow anonymous enumeration of SAM accounts and shares'.
  7. 7.Correlate Logon ID with 4688 to reconstruct what the session executed — especially useful for Type 3 logons that appear briefly (attacker runs a command and disconnects).

Related Event IDs

4625Failed logon — many failures before a 4624 from the same source = credential attack success
4634Account logoff — pair with 4624 on Logon ID to compute session duration
4672Special privileges assigned — fires alongside 4624 for any privileged account
4648Logon with explicit credentials — RunAs or network connection using a different account
4776NTLM credential validation — DC-side view of the same NTLM logon event

Frequently Asked Questions

Why am I seeing thousands of Event ID 4624 every day?
High volume is expected and normal — a domain controller in a mid-size environment can generate hundreds of thousands of 4624 events daily. Every file share access, scheduled task run, service startup, and user login produces one. The security value is not in individual events but in patterns: logon type, source IP, authentication protocol, and timing. Filter to Type 3 (network) logons using NTLM on domain controllers, or Type 10 (RDP) from unexpected source IPs, rather than trying to review every event.
Is Event ID 4624 from an unknown IP address a threat?
It depends on the logon type. A Type 10 (RDP) 4624 from an IP outside your admin workstation baseline is high priority — it means someone remotely accessed a system. A Type 3 (network) 4624 using NTLM authentication to a domain controller from an unexpected host is a strong pass-the-hash indicator — domain accounts should authenticate via Kerberos, not NTLM, to a DC. A Type 3 using Kerberos from an unfamiliar IP warrants checking but may be a new device or VPN endpoint. ANONYMOUS LOGON in the account name is always suspicious regardless of source.
What logon types in Event ID 4624 should I investigate first?
Prioritize in this order: Type 3 (network) with Authentication Package = NTLM on a domain controller — pass-the-hash signal; Type 10 (RemoteInteractive / RDP) from IPs not in your admin workstation list — unauthorized remote access; Type 9 (NewCredentials / RunAs with alternate credentials) from non-admin accounts — credential misuse; Type 5 (service) for new service accounts or existing accounts on new hosts — persistence indicator. Type 2 (interactive console) and Type 7 (unlock) are lowest priority unless the account or host is unexpected.
How do I detect a successful brute-force attack using Event ID 4624?
Look for a 4624 success event from the same Source Network Address that was generating 4625 failures immediately before it. The pattern is: 10+ failures from IP X for account Y, then a 4624 for account Y from IP X within minutes. That gap between last failure and first success is your detection window. In your SIEM, join 4625 and 4624 on the source IP and account within a 10-minute window — any match where failures preceded success by less than the gap threshold is almost certainly a successful brute-force or password spray.

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4624

See Event ID 4624 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects successful logon patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →