Home > SOC Analysis

Authentication Logs

Authentication logs are the most important Windows log category for detecting account compromise, brute force attacks, lateral movement, privilege misuse, and insider threats. These logs track every login attempt, logout, credential validation, Kerberos activity, NTLM authentication, and RDP session creation. A SOC analyst must understand exactly which events matter, how to read them, and how attackers appear inside these logs.

Authentication logs primarily come from the Security event channel, but additional logs (Sysmon, RDP logs, NTLM logs, Kerberos logs) contribute critical details.

Where Authentication Logs Come From

Authentication-related events appear in:

Security.evtx
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
Microsoft-Windows-Kerberos/Operational
Microsoft-Windows-NTLM/Operational

Logs are forwarded to the SIEM using Winlogbeat or WEF.

Core Windows Authentication Events

Windows uses specific Event IDs for authentication. The Security log contains the majority of them.

Below are the events every SOC analyst must know, along with practical examples.

Successful Logon — Event ID 4624

This logs every successful authentication.

Key fields:

  • Logon Type

  • Account Name

  • Source IP

  • Process Name

Example

4624 - An account was successfully logged on
Account Name: mayur
Logon Type: 10
Source IP: 185.22.10.33

Logon Type 10 indicates RDP, which suspiciously often appears in attacks.

Failed Logon — Event ID 4625

Triggered on failed authentication attempts.

Useful for brute force and password spraying.

Example

4625 - An account failed to log on
Account Name: admin
Failure Reason: Unknown user or bad password
Source Address: 185.22.10.33

If repeated many times, it indicates a brute force attempt.

Account Lockout — Event ID 4740

Indicates repeated failures resulting in lockout.

Example

4740 - A user account was locked out
Target User: john
Caller Computer: WIN-SERVER01

Used in detection of password spraying.

Logoff — Event ID 4634

Indicates user session ended.

Helps analysts track full session timelines.

Example

4634 - An account was logged off

Special Privileges Assigned — Event ID 4672

Triggered when privileged accounts log in.

Example

4672 - Special privileges assigned to new logon
User: administrator

Used for privilege escalation detection.

Kerberos Authentication Events

Kerberos logs track domain authentication.

4768 — TGT Request

4768 - Kerberos Authentication Ticket Requested
User: mayur

4769 — Service Ticket Request

4769 - Service Ticket Requested

Useful for detecting Golden Ticket attacks or Kerberoasting.

NTLM Authentication Events — 4776

Used when NTLM fallback occurs.

Example

4776 - Credential Validation
User: admin
Status: 0xC000006A (bad password)

Helps detect old systems or lateral movement using NTLM.

RDP Session Logs

RDP activity is extremely critical for SOC investigations.

Event ID 21 (RDP Logon)

Remote Desktop Services: Logon
User: mayur
IP: 185.44.22.11

Event ID 24 (RDP Disconnected)

Remote Desktop Session disconnected

Attackers commonly use RDP after gaining credentials.

Logon Types (Critical for SOC)

Logon Type defines how the login occurred.

Important ones:

  • 2 = Interactive (local)

  • 3 = Network (lateral movement)

  • 4 = Batch

  • 5 = Service

  • 7 = Unlock

  • 8 = NetworkCleartext

  • 10 = RDP

  • 11 = CachedInteractive

Example:

4624
Logon Type: 3

Logon Type 3 is often used in Pass-the-Hash or SMB lateral movement.

Authentication Attack Visibility

Authentication logs expose almost all credential-based attacks.

1. Brute Force

Repeated 4625 → then 4624.

2. Password Spraying

Many usernames targeted with one password.

3. Credential Stuffing

Many login attempts from malicious IP.

4. Pass-the-Hash

4624 logon with NTLM authentication, no pre-auth evidence.

5. Pass-the-Ticket

Kerberos anomalies in 4769 and 4768.

6. Compromised Admin Account

4624 + 4672 from unusual workstation.

7. Lateral Movement

4624 Logon Type 3 to new hosts.

8. RDP Compromise

4624 Logon Type 10 from foreign IP.

Attackers cannot hide these behaviors easily since authentication always produces logs.

Example: Full Authentication Attack Timeline

Attacker brute forces:

4625 repeated 20 times

Then logs in:

4624 (success)
Logon Type: 10
Source IP: 185.22.10.33

Privilege escalation occurs:

4672 - Special privileges assigned

Attacker moves laterally:

4624 - Logon Type 3 to FILE-SERVER01

SOC sees clear evidence of compromise.

Authentication Log Fields Analysts Must Always Check

  • Logon Type

  • Source IP

  • Target User

  • Failure Reason

  • Authentication Package (Kerberos/NTLM)

  • Workstation Name

  • Process Name

  • Target Server

  • Account Domain

These fields determine whether the login was legitimate or malicious.

Why Authentication Logs Are Critical

Authentication logs provide:

  • Early compromise detection

  • Lateral movement visibility

  • Privilege escalation tracking

  • Insider activity monitoring

  • Credential theft detection

  • Password policy enforcement

They act as the first warning system in most attacks.

Intel Dump

  • Authentication logs come mainly from the Security log, along with RDP, NTLM, and Kerberos logs.

  • Key events include 4624, 4625, 4672, 4740, 4768, 4769, 4776.

  • RDP logs reveal remote access attempts and session activity.

  • Logon Type values reveal the authentication method and possible attack techniques.

  • Authentication logs expose brute force, password spraying, credential theft, lateral movement, and privilege abuse.

  • SOC analysts rely heavily on login-related fields for detection and investigation.

HOME LEARN COMMUNITY DASHBOARD