Authentication Data Transaction
Account Logon Flow v0.1
In the second part of Step 1, the
Subsystem Service (LSASS)
process is initialized. The LSASS
component is a process that
4688
Windows security subsystem.
Winlogon Process initialization
Winlogon is initialized. Winlogon is a
system component (it’s a process) that
acts as a proxy component between
the user and Windows authentication
subsystem internals. It is also
responsible for switching Windows
desktops and handling the Secure
Attention Sequence (SAS)
Initialization
https://twitter.com/rimpq
Special thanks to Andrei Miroshnikov for awesome book
"Windows Security Monitoring: Scenarios and Patterns" https://www.amazon.com/gp/product/B07BGHYF61
LSASS Initialization
Local Security Authority
contains components of the
4688
4608
Successful System Startup
This event is logged when
LSASS.EXE starts and the
auditing subsystem is initialized.
SYSTEM Account Logon
Local System Account Logon
Even though the Local System
account is a built-in special
account which represents the
machine itself, it also performs its
logon to the system.
4624
4627
Group membership information
Security System Extention Loaded
A security package has been loaded by the Local Security
Authority.
C:\Windows\system32\lsasrv.dll : Negotiate
C:\Windows\system32\negoexts.DLL : NegoExtender
C:\Windows\system32\kerberos.DLL : Kerberos
C:\Windows\system32\msv1_0.DLL : NTLM
C:\Windows\system32\tspkg.DLL : TSSSP
C:\Windows\system32\pku2u.DLL : pku2u
C:\Windows\system32\cloudAP.DLL : CloudAP
C:\Windows\system32\wdigest.DLL : WDigest
C:\Windows\system32\schannel.DLL : Schannel
C:\Windows\system32\schannel.DLL : Microsoft Unified
Security Protocol Provider
4622
An authentication package has been loaded by the
Local Security Authority. This authentication package
will be used to authenticate logon attempts.
Security Package
Loading
Authentication Data Gathering
LogonUI’s purpose is to collect user credentials and
pass them to LSASS for validation. LogonUI is invoked
by Winlogon each time authenticated data needs to be
collected/gathered from a user. After LogonUI gets a
4610 user’s credentials and passes them to LSASS, it
terminates.
A logon was attempted using explicit
Security System Extention Used
4688
Get Authentication Data and Create DWM Session
Send Credentials from Winlogon to LSASS
After a credential provider gets authentication data from
the user, Winlogon invokes the LsaLogonUser function
to pass authentication data to LSASS. The
LsaLogonUser function uses LsaAuthenticationPort,
LSASS’s ALPC port for communications.
4648 Desktop Windows Manager (DWM) Logon 4627
credentials.
4624 Group membership information
4673
As a result of a successful LsaRegisterLogonProcess()
function call explain in this event. This logon process is
Support Provider (SSP), which then passes them to the
selected. You will find multiple 4622 events that inform
4611
A trusted logon process has been registered
now trusted to submit logon requests. This event
contains the name of a logon process (Logon Process
Name) that was successfully registered using
LsaRegisterLogonProcess().
proceed with the request, the data is sent to the domain
Local User Account
Local User Scenario
If the account is a local user account, the user’s
credentials are passed to the Negotiate Security
MSV1_0 security support provider/authentication
package (SSP/AP). Negotiate SSP selects between
Kerberos SSP/AP and MSV1_0 SSP/AP. For local
Local User Logon: MSV1_0 Answer Special privileges assigned to new logon.
account interactive logons, MSV1_0 SSP/AP is An account was successfully logged on localy
Explorer.exe
you that lsass.exe loaded a specific security package
(SSP/AP). The Security Package Name has the
following format: Package DLL Location : Package
4610 After MSV1_0 gets a user’s account hash from the
SAM manager, it compares it with a hash generated
from the user’s supplied credentials.
4648 Some information in this event is the same as in the
4648 event.
4627 If a user’s elevated token has one of the special
privileges, a 4672 event is generated containing all
detected special privileges.
4688 Userinit.exe creates explorer.exe
N
A logon was attempted using explicit Group membership information Userinit.exe
4622 Security System Extention Used
An authentication package has been loaded by the
4676 credentials
The event shows the logon initiation attempt for a
4624 After every 4624 successful logon event, the 4627
event is invoked. It contains SIDs for all groups of which
4672 At the end of the local interactive logon authentication
process, Winlogon sends information to the userinit.exe
4688
Local Security Authority. This authentication package normal interactive logon. It is initiated by the local the user is a member. process, which loads the user’s profile. After the user’s
will be used to authenticate logon attempts. SYSTEM account. profile is loaded, userinit.exe creates a local shell,
invoking the explorer.exe process. You should see two
4688 events: one for userinit.exe and another one for
explorer.exe. Winlogon.exe creates userinit.exe and
then userinit.exe creates explorer.exe.
Post-Initialization
Domain User Scenario
Negotiate SSP selects an appropriate authentication
package to handle the authentication request. It will
Credentials Validation on the Domain Controller
always try Kerberos AP first. If Kerberos AP is able to
controller for validation. If the Kerberos or MSV1_0 packages were able to
4648 reach the domain controller, then the domain controller
validates the credentials.
A logon was attempted using explicit
credentials.
The event shows the logon initiation attempt for a
normal interactive logon. It is initiated by the local
SYSTEM account.
4624
An Domain account was successfully logged on localy
An account was successfully logged on
Domain User Acсount
4624
RemoteInteractive Logon (10)
RemoteInteractive Logon Cached Credentials (12)
Interactive Logon With Cached Credentials (11)
Network Logon (3)
NetworkCleartext Logon (8)
Logon Types
Unlock Logon (7)