Slide 1
Slide 1 text
Winlogon Process initialization
Winlogon is initialized. Winlogon is a
system component (it’s a process) that
acts as a proxy component between
the user and Windows authentication
subsystem internals. It is also
responsible for switching Windows
desktops and handling the Secure
Attention Sequence (SAS)
LSASS Initialization
In the second part of Step 1, the
Local Security Authority
Subsystem Service (LSASS)
process is initialized. The LSASS
component is a process that
contains components of the
Windows security subsystem.
Successful System Startup
This event is logged when
LSASS.EXE starts and the
auditing subsystem is initialized.
Local System Account Logon
Even though the Local System
account is a built-in special
account which represents the
machine itself, it also performs its
logon to the system.
Account Logon Flow v0.1
Group membership information
Security System Extention Loaded
A security package has been loaded by the Local Security
Authority.
C:\Windows\system32\lsasrv.dll : Negotiate
C:\Windows\system32\negoexts.DLL : NegoExtender
C:\Windows\system32\kerberos.DLL : Kerberos
C:\Windows\system32\msv1_0.DLL : NTLM
C:\Windows\system32\tspkg.DLL : TSSSP
C:\Windows\system32\pku2u.DLL : pku2u
C:\Windows\system32\cloudAP.DLL : CloudAP
C:\Windows\system32\wdigest.DLL : WDigest
C:\Windows\system32\schannel.DLL : Schannel
C:\Windows\system32\schannel.DLL : Microsoft Unified
Security Protocol Provider
Security System Extention Used
An authentication package has been loaded by the
Local Security Authority. This authentication package
will be used to authenticate logon attempts.
Authentication Data Gathering
LogonUI’s purpose is to collect user credentials and
pass them to LSASS for validation. LogonUI is invoked
by Winlogon each time authenticated data needs to be
collected/gathered from a user. After LogonUI gets a
user’s credentials and passes them to LSASS, it
terminates.
A logon was attempted using explicit
credentials.
Desktop Windows Manager (DWM) Logon
Group membership information
Send Credentials from Winlogon to LSASS
After a credential provider gets authentication data from
the user, Winlogon invokes the LsaLogonUser function
to pass authentication data to LSASS. The
LsaLogonUser function uses LsaAuthenticationPort,
LSASS’s ALPC port for communications.
A trusted logon process has been registered
As a result of a successful LsaRegisterLogonProcess()
function call explain in this event. This logon process is
now trusted to submit logon requests. This event
contains the name of a logon process (Logon Process
Name) that was successfully registered using
LsaRegisterLogonProcess().
Local User Scenario
If the account is a local user account, the user’s
credentials are passed to the Negotiate Security
Support Provider (SSP), which then passes them to the
MSV1_0 security support provider/authentication
package (SSP/AP). Negotiate SSP selects between
Kerberos SSP/AP and MSV1_0 SSP/AP. For local
account interactive logons, MSV1_0 SSP/AP is
selected. You will find multiple 4622 events that inform
you that lsass.exe loaded a specific security package
(SSP/AP). The Security Package Name has the
following format: Package DLL Location : Package
N
Security System Extention Used
An authentication package has been loaded by the
Local Security Authority. This authentication package
will be used to authenticate logon attempts.
Local User Logon: MSV1_0 Answer
After MSV1_0 gets a user’s account hash from the
SAM manager, it compares it with a hash generated
from the user’s supplied credentials.
A logon was attempted using explicit
credentials
The event shows the logon initiation attempt for a
normal interactive logon. It is initiated by the local
SYSTEM account.
An account was successfully logged on localy
Some information in this event is the same as in the
4648 event.
Group membership information
After every 4624 successful logon event, the 4627
event is invoked. It contains SIDs for all groups of which
the user is a member.
Special privileges assigned to new logon.
If a user’s elevated token has one of the special
privileges, a 4672 event is generated containing all
detected special privileges.
Userinit.exe
At the end of the local interactive logon authentication
process, Winlogon sends information to the userinit.exe
process, which loads the user’s profile. After the user’s
profile is loaded, userinit.exe creates a local shell,
invoking the explorer.exe process. You should see two
4688 events: one for userinit.exe and another one for
explorer.exe. Winlogon.exe creates userinit.exe and
then userinit.exe creates explorer.exe.
Explorer.exe
Userinit.exe creates explorer.exe
Domain User Scenario
Negotiate SSP selects an appropriate authentication
package to handle the authentication request. It will
always try Kerberos AP first. If Kerberos AP is able to
proceed with the request, the data is sent to the domain
controller for validation.
A logon was attempted using explicit
credentials.
The event shows the logon initiation attempt for a
normal interactive logon. It is initiated by the local
SYSTEM account.
An Domain account was successfully logged on localy
Credentials Validation on the Domain Controller
If the Kerberos or MSV1_0 packages were able to
reach the domain controller, then the domain controller
validates the credentials.
An account was successfully logged on
RemoteInteractive Logon (10)
RemoteInteractive Logon Cached Credentials (12)
Interactive Logon With Cached Credentials (11)
Network Logon (3)
NetworkCleartext Logon (8)
Unlock Logon (7)
Initialization
SYSTEM Account Logon
Security Package
Loading
Get Authentication Data and Create DWM Session
Authentication Data Transaction
Domain User Acсount
Local User Account
Post-Initialization
Logon Types
4610
4622
4627
4624
4608
4688
4688
4688
4648
4624
4627
4673
4611
4622
4610
4648
4676
4648
4624
4627
4672
4688
4688
4624
4624
https://twitter.com/rimpq
Special thanks to Andrei Miroshnikov for awesome book
"Windows Security Monitoring: Scenarios and Patterns" https://www.amazon.com/gp/product/B07BGHYF61