Do You Know Who's Logging into Your Computer?

In cybersecurity, recognizing the different types of logins and understanding how to verify their legitimacy is crucial for maintaining a secure environment. Various login types are often identified by specific event IDs and logon types, which can provide valuable insights into potential security incidents. Here, we will break down the common login types, what they mean, and how to verify if the logins are legitimate or contain indicators of compromise (IOCs).

Common Login Types

Logon Type 2: Interactive Logon

Description: This logon type occurs when a user physically logs into a machine using a keyboard and monitor. It's common for desktops and workstations.

Event ID: 4624 (Successful logon)

Verification:

• Check the time of the logon: Is it within normal working hours?

• Verify the source device: Is the login from a known workstation?

• Correlate with physical access logs if available.

Logon Type 3: Network Logon

Description: This occurs when accessing resources over the network, such as file shares or accessing a web service.

Event ID: 4624 (Successful logon)

Verification:

• Review the source IP address: Is it from a known internal or external IP?

• Check for unusual patterns: Multiple logins from different locations in a short time frame can indicate a compromise.

• Monitor for failed logon attempts (Event ID 4625) preceding the successful logon.

Logon Type 4: Batch Logon

Description: This is used for scheduled tasks and batch jobs.

Event ID: 4624 (Successful logon)

Verification:

• Validate the scheduled task: Ensure the task is known and scheduled.

• Check the account used: Is it a dedicated service account? Regular user accounts should not perform batch logons.

• Review the task's activity: Ensure it performs expected actions.

Logon Type 5: Service Logon

Description: This logon type is used when services log on to the system.

Event ID: 4624 (Successful logon)

Verification:

• Verify the service account: Confirm that the account is assigned to a legitimate service.

• Monitor for anomalies: Look for service logons at unusual times or from unexpected locations.

• Cross-reference with service configurations: Ensure the logon aligns with known service operations.

Logon Type 7: Unlock Logon

Description: This occurs when a user unlocks a previously locked workstation.

Event ID: 4624 (Successful logon)

Verification:

• Check the user: Ensure the user unlocking the workstation is the one who locked it.

• Review the context: Validate the time and location to ensure they align with expected behavior.

• Monitor for repeated lock/unlock cycles: These could indicate an attempt to bypass security controls.

Logon Type 8: NetworkCleartext Logon

Description: This logon type occurs when credentials are sent over the network in clear text, such as via Basic authentication in HTTP.

Event ID: 4624 (Successful logon)

Verification:

• Avoid using clear text logons: Implement more secure authentication methods like NTLM or Kerberos.

• Monitor network traffic: Use network security tools to detect and alert on clear text credential transmission.

• Check for encryption: Ensure communications are protected with SSL/TLS.

Logon Type 10: RemoteInteractive Logon

Description: This type is used for remote desktop (RDP) sessions.

Event ID: 4624 (Successful logon)

Verification:

• Verify the source: Ensure the source IP address is recognized and authorized for RDP access.

• Monitor session activity: Check for unusual behavior during the RDP session.

• Correlate with other events: Look for failed logon attempts (Event ID 4625) or changes in user privileges (Event ID 4670).

Logon Type 11: CachedInteractive Logon

Description: This occurs when a user logs on with cached credentials, typically when a domain controller is unavailable.

Event ID: 4624 (Successful logon)

Verification:

• Validate user behavior: Ensure the user typically works offline or the domain controller is indeed unavailable.

• Monitor frequency: Frequent cached logons may indicate connectivity issues or an attempt to use outdated credentials.

• Check for anomalies: Correlate with network availability logs to rule out unexpected behavior.

Detecting Indicators of Compromise (IOCs)

To determine if a login event is legitimate or an IOC, consider the following best practices:

Baseline Normal Activity: Understand what typical logon activity looks like for your environment, including times, locations, and user behavior.

Monitor for Anomalies: Use security information and event management (SIEM) tools to identify deviations from the baseline, such as logons from unusual locations or at odd hours.

Cross-Reference Logs: Correlate logon events with other security logs, such as network traffic, access logs, and application logs, to identify patterns indicating a compromise.

Implement Multi-Factor Authentication (MFA): Use MFA to add an additional layer of security, making it harder for attackers to exploit stolen credentials.

Regular Audits: Perform regular audits of logon events and access controls to ensure compliance with security policies and detect potential compromises early.

Conclusion

Understanding different logon types and how to verify their legitimacy is crucial for identifying and mitigating security threats. By establishing baselines, monitoring for anomalies, and cross-referencing logs, you can effectively detect and respond to potential indicators of compromise. Implementing robust security measures like MFA and regular audits will further enhance your organization's security posture.

Have you implemented strategies for monitoring logon events in your organization? Share your experiences and best practices in the comments below!

#Cybersecurity #Login #Authentication #Networking #Analysis #IndicatorsOfCompromise #Security #Monitoring