If you pay attention to the security log of the Windows system, you will find in the event description that the "login type" is not all the same, is there any other type besides interactive login on the keyboard (login type 1)? ?
Yes, Windows allows you to get more valuable information from the logs. It subdivides a wide variety of login types so that you can distinguish whether the logged in user is logged in locally, or logged in from the network, and more. Login method. Knowing these login methods will help you to find suspicious hacks from the event log and be able to determine how they are attacking. Let's take a closer look at the login type of Windows.
Login Type 2: Interactive Login (Interactive)
This should be your first login method. The so-called interactive login refers to the login that the user performs on the console of the computer, that is, on the local keyboard. Log in on the login, but don't forget that logging in via KVM is still an interactive login, although it is web based.
Login Type 3: Network
When you access a computer from the network, in most cases Windows is type 3, the most common case is when connecting to a shared folder or shared printer. . In most cases, logging in to IIS over the network is also noted as this type, but the basic authentication method for IIS login is an exception, it will be recorded as type 8, as described below.
Login Type 4: Batch (Batch)
When Windows runs a scheduled task, “ Scheduled Task Service will create a new login session for this task so that it can be configured in this scheduled task. Running under the user account, when this login occurs, Windows is recorded as type 4 in the log. For other types of work task systems, depending on its design, it can also generate type 4 login events when starting work. 4 login usually indicates that a scheduled task is started, but it may also be a malicious user guessing the user's password through a scheduled task. This attempt will generate a type 4 login failure event, but this failed login may also be due to the user of the scheduled task. The password was not synced, such as the user's password changed, and I forgot to make changes in the scheduled task.
Login Type 5: Service
Similar to scheduled tasks, each service is configured to run under a specific user account. When a service starts, Windows first creates a specific user for this particular user. Login session, this will be recorded as type 5, failure type 5 usually indicates that the user's password has changed and has not been updated here, of course, this may be caused by the malicious user's password guess, but this possibility is relatively small, Because creating a new service or editing an existing service requires an administrator or serversoperators by default, and a malicious user of this identity already has enough ability to do his bad thing, and has no need to work hard. To guess the service password.