Jan 03 2023 02:39 PM - edited Jan 03 2023 02:41 PM
After reviewing some AD Domain Controller logs I've been doing loads of reading on Event ID 4624 and trying to understand user behaviour. Once thing I have noticed is accounts appearing to be doing interactive logons (Logon Type 2) which should not be. I immediately suspected is some one using these account instead of their own.
I've read that "real" logons usually have process lsass.exe or svchost.exe which from my reading are normal for a true logon. However I noticed that a unusual process was listed for the event which appears to be something legit installed on the machine later (legit process\application)
Could this be something running as a service? If that's the case I would have expected a logon type 5
A scheduled task? Then shouldn't it be a logon type 4
Any idea on how I can track down how this is being run and why under the particular account and why its showing as an interactive logon?
Jan 16 2023 01:56 PM
Jan 24 2023 11:54 AM - edited Jan 29 2023 02:31 AM
Did this help finding more data?