top of page
Feb 261 min read

Artifacts for Account Usage: Last Login || Success/Fail Logons || Last Password Change || Logon Types || RDP Usage.

1. Last Login:


Location:

  • C:\windows\system32\config\SAM

  • SAM\Domains\Account\Users


Interpretation:

  • The last login time for local accounts is stored in the registry key.

  • This information can be valuable for understanding user activity and identifying active accounts on the system.

-------------------------------------------------------------------------------------------------------------


2. Success/Fail Logons:


Location:

  • XP: %systemroot%\System32\config\SecEvent.evt

  • Win7-10: %systemroot%\System32\winevt\logs\Security.evtx


Interpretation:

  • Event IDs provide information about successful and failed logon attempts:

  • 528/4624: Successful Logon

  • 529/4625: Failed Logon

  • 538/4634: Successful Logoff

  • 540/4624: Successful Network Logon (e.g., file shares)

  • Monitoring these events helps track account usage and detect potential security breaches.


3. Last Password Change:


Location:

  • C:\windows\system32\config\SAM

  • SAM\Domains\Account\Users


Interpretation:

  • Registry key stores the last password change time for specific users.

  • Useful for monitoring password security and identifying potential security incidents.


------------------------------------------------------------------------------------------------------------


4. Logon Types:

Location:

  • XP: Event ID 528

  • Win7-10: Event ID 4624


Interpretation:

  • Different logon types indicate the method used for account authorization:

  • 2: Logon via console

  • 3: Network Logon

  • 4: Batch Logon

  • 5: Windows Service Logon

  • 7: Credentials used to unlock screen

  • 8: Network logon sending credentials (cleartext)

  • 9: Different credentials used than logged-on user

  • 10: Remote interactive logon (RDP)

  • 11: Cached credentials used to logon


-------------------------------------------------------------------------------------------------------------


5. RDP Usage:


Location:

  • XP: %systemroot%\System32\config\SecEvent.evt

  • Win7-10: %systemroot%\System32\winevt\logs\Security.evtx


Interpretation:

  • Event IDs provide information about Remote Desktop Protocol (RDP) sessions:

  • 682/4778: Session Connected/Reconnected

  • 683/4779: Session Disconnected

  • Hostname and IP address of remote machines making the connection are logged.


-------------------------------------------------------------------------------------------------------------


39 views0 comments

Comments

bottom of page