Success/Failed Logons

Description: Track successful/failed activity associated with user account logons.

Location:

  • C:\Windows\System32\winevt\logs\Security.evtx

Notes:

  • Event ID: 4624 - Successful Logon.
  • Event ID: 4625 - Failed Logon.
  • Event ID: 4634/4647 - Successful Logoff.
  • Event ID: 4648 - Logon using Explicit Credentials. (Runas)
  • Event ID: 4672 - Account Logon with Superuser Rights. (Administrator)
  • Event ID: 4720 - An Account was Created.

Analysis: Windows logs multiple Event IDs associated with successful and failed user logon events. These logs can be useful for tracking the account usage for known comprmised accounts.

We can use Windows native Event Viewer application for analyzing .evtx files. On a Windows client, double-clicking an .evtx file will automatically open the log inside of the Saved Logs folder in Event Viewer.



To filter for a specific event, select Filter Current Log... to pull up a dialog box with filtering option and input the Event ID you'd like to isolate.