Why is there a lot of Windows Logon Success with Logon Type 3? -A quick look-

Published in

MII Cyber Security Consulting Services

6 min readDec 7, 2021

Windows Security Event Log is unbelievably verbose when it comes to logging. Looking at how complicated the operating system is, keeping track of everything make sense for diagnostic purpose. When there is activity tracking, there is also forensics readiness shine out through the crack.

Logon type is a Windows Authentication category for how a user logon its account. Or in Windows fancy word: “Identifies the logon type initiated by the connection.”[1] This way you can differentiate how the connection was made, was it directly from the computer, or remotely, or it’s just a service running that needs authentication once in a while, and so on. But of course, if the authentication was not legitimate from user, it will also be logged, though it’s a bit hard to identify which bit is legitimate and which one is not.

Logon type 3 is categorized by Microsoft as “Network Logon”. As vague as it sounds, Microsoft put several examples including NET USE, RPC calls, remote registry, and so forth. But other than examples, there are quite some ways to trigger this logon type 3.

Microsoft explaining what each logon type means

Here are some possibilities why would logon type 3 is triggered based on quick research I’ve done.

There are great articles explaining thoroughly about logon types, I’ll link some of them on References, but here we’ll be focusing on logon type 3.

Accessing SMB Shares

This is one of the most common way to trigger logon type 3. If you have SMB share open, and someone tried (but not necessarily successfully) access it, there will be a successful logon type 3 logged on the Security Event Logs.

Logon Type 3 triggered. Credit: Altered Security

There is this cool article by Lina Lau a.k.a Inversecos making examples of how to trigger logon type 3 with failed SMB and RDP, which will be covered in the next section. I’ll link the article on References. [4]

As you can see the connection was denied, but on the log there will be successful logon type 3 by ANONYMOUS LOGON still logged as successful (4624)

Accessing RDP

Although on the previous picture we see that Remote Desktop Protocol successful logon type is described differently, which is type 10, the failed RDP triggers logon type 3 using ANONYMOUS LOGON. She described it, ”This is because even though it’s over RDP, I was logging on over ‘the internet’ aka the network.”

Failed RDP will still give successful logon type 3.

Accessing the machine using WinRM

Windows Remote Management or WinRM is one component of the Windows Hardware Management features that manage server hardware locally and remotely. [5] Simply put, this is a Windows feature that lets anyone manage server resources whenever wherever. Of course, because this is a vital component of Windows, valid credentials are needed to access this feature. But once so often it can also be affected by exploits. [6]

Chirag Savla on Altered Security made a great demonstration of several WinRM execution with hacking tools such as crackmapexec and how it will look like in logs.

Example of crackmapexec. Credit: Chirag Savla

The obvious red flag is the workstation name used to access WinRM, it will follow the actual username of the machine of the attacker. But sometimes this will not show up so don’t rely too much on this information.

How it looks like on the logs. Credit: Chirag Savla

Accessing the machine using WMI

Windows Management Instrumentation (WMI) is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components.

Here is an example of logon type 3 triggering with WMI by Chirag Savla. He tried to list process using WMI.

Process listing with WMI. Credit: Chirag Savla

How it looks like after WMI. Credit. Chirag Savla

Accessing the machine using PSRemote

Powershell has the ability to make the machine can be accessed remotely through Windows Powershell command. From Microsoft documentation, ”Using the WS-Management protocol, Windows PowerShell remoting lets you run any Windows PowerShell command on one or more remote computers. You can establish persistent connections, start interactive sessions, and run scripts on remote computers.” Powershell is really powerful that basically accessing Powershell is almost the same as accessing Windows.

He made a proof of his finding, that PSRemoting will trigger logon type 3.

PSRemoting with prebuilt script. Credit: Chirag Savla

How it looks like on the log. Credit: Chirag Savla

Zerologon Exploit

This maybe one of the most uncommon method of triggering logon type 3, but should be noticed.

Kroll made a great article about how Zerologon works and how we can spot it. They split the case into 3 basis. I’ll put one of the examples because their explanation is much more fruitful and long.

One of the cases that is explained in the article is when the attacker is resetting the DC Password without the original password provided. The existence of logon type 3 on the Domain Controller (DC) server could be checked if it has these several characteristics to identify Zerologon:

Using account name Anonymous or the DC name
The source IP will be different from the DC server, and it will show the IP address where the attacker executed the exploit.
Using NTLM Authentication Package

Closing

While it could be trivial about what happen if logon type 3 is triggered, the really basic reason of logon type 3 happening is “something is authenticating to this machine from another machine”. So if you see this logon on your machine and it’s unusually came from place it shouldn’t have been, it’s a good indicator to look at and track it down.