Winlogon Process initialization Winlogon is initialized. Winlogon is a system component (it’s a process) that acts as a proxy component between the user and Windows authentication subsystem internals. It is also responsible for switching Windows desktops and handling the Secure Attention Sequence (SAS) LSASS Initialization In the second part of Step 1, the Local Security Authority Subsystem Service (LSASS) process is initialized. The LSASS component is a process that contains components of the Windows security subsystem. Successful System Startup This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. Local System Account Logon Even though the Local System account is a built-in special account which represents the machine itself, it also performs its logon to the system. Account Logon Flow v0.1 Group membership information Security System Extention Loaded A security package has been loaded by the Local Security Authority. C:\Windows\system32\lsasrv.dll : Negotiate C:\Windows\system32\negoexts.DLL : NegoExtender C:\Windows\system32\kerberos.DLL : Kerberos C:\Windows\system32\msv1_0.DLL : NTLM C:\Windows\system32\tspkg.DLL : TSSSP C:\Windows\system32\pku2u.DLL : pku2u C:\Windows\system32\cloudAP.DLL : CloudAP C:\Windows\system32\wdigest.DLL : WDigest C:\Windows\system32\schannel.DLL : Schannel C:\Windows\system32\schannel.DLL : Microsoft Unified Security Protocol Provider Security System Extention Used An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts. Authentication Data Gathering LogonUI’s purpose is to collect user credentials and pass them to LSASS for validation. LogonUI is invoked by Winlogon each time authenticated data needs to be collected/gathered from a user. After LogonUI gets a user’s credentials and passes them to LSASS, it terminates. A logon was attempted using explicit credentials. Desktop Windows Manager (DWM) Logon Group membership information Send Credentials from Winlogon to LSASS After a credential provider gets authentication data from the user, Winlogon invokes the LsaLogonUser function to pass authentication data to LSASS. The LsaLogonUser function uses LsaAuthenticationPort, LSASS’s ALPC port for communications. A trusted logon process has been registered As a result of a successful LsaRegisterLogonProcess() function call explain in this event. This logon process is now trusted to submit logon requests. This event contains the name of a logon process (Logon Process Name) that was successfully registered using LsaRegisterLogonProcess(). Local User Scenario If the account is a local user account, the user’s credentials are passed to the Negotiate Security Support Provider (SSP), which then passes them to the MSV1_0 security support provider/authentication package (SSP/AP). Negotiate SSP selects between Kerberos SSP/AP and MSV1_0 SSP/AP. For local account interactive logons, MSV1_0 SSP/AP is selected. You will find multiple 4622 events that inform you that lsass.exe loaded a specific security package (SSP/AP). The Security Package Name has the following format: Package DLL Location : Package N Security System Extention Used An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts. Local User Logon: MSV1_0 Answer After MSV1_0 gets a user’s account hash from the SAM manager, it compares it with a hash generated from the user’s supplied credentials. A logon was attempted using explicit credentials The event shows the logon initiation attempt for a normal interactive logon. It is initiated by the local SYSTEM account. An account was successfully logged on localy Some information in this event is the same as in the 4648 event. Group membership information After every 4624 successful logon event, the 4627 event is invoked. It contains SIDs for all groups of which the user is a member. Special privileges assigned to new logon. If a user’s elevated token has one of the special privileges, a 4672 event is generated containing all detected special privileges. Userinit.exe At the end of the local interactive logon authentication process, Winlogon sends information to the userinit.exe process, which loads the user’s profile. After the user’s profile is loaded, userinit.exe creates a local shell, invoking the explorer.exe process. You should see two 4688 events: one for userinit.exe and another one for explorer.exe. Winlogon.exe creates userinit.exe and then userinit.exe creates explorer.exe. Explorer.exe Userinit.exe creates explorer.exe Domain User Scenario Negotiate SSP selects an appropriate authentication package to handle the authentication request. It will always try Kerberos AP first. If Kerberos AP is able to proceed with the request, the data is sent to the domain controller for validation. A logon was attempted using explicit credentials. The event shows the logon initiation attempt for a normal interactive logon. It is initiated by the local SYSTEM account. An Domain account was successfully logged on localy Credentials Validation on the Domain Controller If the Kerberos or MSV1_0 packages were able to reach the domain controller, then the domain controller validates the credentials. An account was successfully logged on RemoteInteractive Logon (10) RemoteInteractive Logon Cached Credentials (12) Interactive Logon With Cached Credentials (11) Network Logon (3) NetworkCleartext Logon (8) Unlock Logon (7) Initialization SYSTEM Account Logon Security Package Loading Get Authentication Data and Create DWM Session Authentication Data Transaction Domain User Acсount Local User Account Post-Initialization Logon Types 4610 4622 4627 4624 4608 4688 4688 4688 4648 4624 4627 4673 4611 4622 4610 4648 4676 4648 4624 4627 4672 4688 4688 4624 4624 https://twitter.com/rimpq Special thanks to Andrei Miroshnikov for awesome book "Windows Security Monitoring: Scenarios and Patterns" https://www.amazon.com/gp/product/B07BGHYF61