FYSA, the 4624 event that we all know and love in DFIR has been updated to Version 3 as of Windows 11 (22H2).
Using the beloved EVTX-ETW Resources GitHub repository that Nasredinne Bencherchali and I have curated, looking at the Microsoft-Windows-Security-Auditing Provider CSV will provide us with a history of all events associated with that Provider (Microsoft-Windows-Security-Auditing). If we filter on the 4624 Event ID and sort on Event Version, we’ll see that Version 3 shows up for Windows 11 Pro only!
This indicates that the 4624 event has been updated, but to which degree? Let’s find out!
We can compare the Event Message fields to see what is different using UltraCompare (or any other comparison application like Beyond Compare). In summary, not much is different, but the one potentially exciting thing added to 4624 is the Remote Credential Guard field.
Here’s the HTML output from UltraCompare, which compares the output from both Version 2 and Version 3 of the 4624 events: 4624Comparison.
What you’re seeing on the left is Windows 10 Pro (22H2) and on the right is Windows 11 Pro (22H2) and their respective 4624 event message. Windows 10 Pro (22H2) has 4624 Version 2, and Windows 11 Pro (22H2) has 4624 Version 3.
Look here to see the raw output (.txt) of Windows 10 Pro (22H2) and Windows 11 Pro (22H2). The HTML above provides a comparison and highlights the differences, with the main field being the following:
Remote Credential Guard:
{SubjectUserName}3
I have yet to see this populated in the wild, but the first step is noticing something new, with the second step being keeping an eye out for it to further determine potential forensic value. To learn more about Remote Credential Guard, look no further than Microsoft’s documentation here.
