Hi Nonsaho - Thanks for keeping me honest and forcing me to dig deeper. Based on my sources the following senarios can result in a blank "authentication package" field.
- Local API-Initiated Logons
If the logon is initiated by a local API call (e.g., LogonUser() or LsaLogonUser()), especially for service accounts or background tasks, the system may not populate the Authentication Package field. This is because the credentials are already available locally and no SSP is invoked
- S4U (Service for User) or Delegation Scenarios
In Kerberos S4U or delegation scenarios, the system may impersonate a user without needing their credentials. These logons can result in Event 4624 entries with missing or blank fields, including the Authentication Package
- Token-Only or Authorization-Only Logons
Some logons are created purely for authorization checks (e.g., AuthzInitializeContextFromSid) and not for actual authentication. These may generate 4624 events with minimal data, including a blank Authentication Package
- System or Service Logons
When services start under the LocalSystem or NetworkService accounts, the logon may not involve a traditional authentication package. This is especially true for Logon Type 5 (Service) or Logon Type 7 (Unlock)
Those activities could be using NTLM and associated with lsass.exe. I guess the best approach if there are 4624 with blank "Authentication Package" fields is to proceed with caution. I would not let it stop the hardening effort but you might want to disable NTLMv1 on those devices individually so you can quickly identity if the change caused an application to break.