Type 2 logons from non-users? Expand / Collapse
Author
Message
Posted 8/15/2018 1:58:00 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/6/2018 8:21:58 AM
Posts: 2, Visits: 16
We have tracked logins on a only a few Win7 machines. We now need to do so on a Win10 Pro (1703) system configured by a vendor (i.e. we don't know everything they did and can't mess around too much) and see dozens of 4624 events of Logon Type 2 for a couple virtual accounts. They are obviously NOT interactive as the descriptions I've seen would indicate.

The encyclopedia on this site for 4624 states that "Virtual Accounts only come up in Service logon types (type 5)". I also thought that that domain for service accounts is supposed to be "NT Authority", "NT Service".

Specifically:

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: VendorComputer$
Account Domain:
Logon ID: 0x3E7

Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-90-0-47
Account Name: DWM-47
Account Domain: Window Manager
Logon ID: 0xABD2F23
Linked Logon ID: 0xABD2F51
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x15e8
Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0


and

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: VendorComputer$
Account Domain:
Logon ID: 0x3E7

Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-96-0-47
Account Name: UMFD-47
Account Domain: Font Driver Host
Logon ID: 0xABD2A37
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x15e8
Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0


Is "normal" or is something wrong with this machine?
Post #8486
Posted 8/27/2018 5:19:54 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
Are virtual accounts unable to interactively login? I don't see a reference that says a virtual account can't login interactively. Anyway, it's hard to say if this is normal or not based on this event alone. Review all of the events from that machine and determine if there were strange processes being ran, abnormal activity for that machine, strange logon times, logs being cleared, etc.
Post #8492
Posted 8/29/2018 12:03:31 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/6/2018 8:21:58 AM
Posts: 2, Visits: 16
derekthomas (8/27/2018)
Are virtual accounts unable to interactively login?


I suppose they are able to if someone knows the password, but since the "interactive" logon type (2) has a description of "logon at keyboard and screen of system" and no human knows the virtual account credentials... well, there's an inconsistency of documentation.

I'm not worried about a hijacked machine; It's a brand new setup from the vendor and is on a private network. My issue is in trying to track logins. I'm seeing these virtual accounts with an "interactive" login when I am reading:

Virtual Accounts only come up in Service logon types (type 5), when Windows starts a logon session in connection with a service starting up.


On this page.

Thanks for the reply.
Post #8495
Posted 9/10/2018 8:12:34 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
I'm guessing it is still possible to compromise the credentials of these accounts if the host was compromised. I would look for signs of abnormal activity or a compromise in other logs on that machine. I would ensure that the machine is appropriately secured.
Post #8497
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 10:48pm