> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-docs/ecir/event-codes/pass-the-hash/event-id-4624.md).

# Event ID 4624

These logon types indicate specific methods of authentication that are commonly leveraged during PTH attacks. Here's why they are significant:

#### **Logon Type 3** – **Network Logon**:

* **Logon Type 3** refers to a **network logon**, where a user or system authenticates over the network (e.g., to access shared folders, printers, or other network resources).
* **PTH Attacks** typically involve using **NTLM hashes** to authenticate remotely, without needing the actual plaintext password. This is commonly done for **network logons**, as attackers often use **NTLM hashes** from compromised accounts to authenticate to other systems on the network.
* If you see **Logon Type 3** with suspicious **account names** (especially privileged accounts), it may indicate that an attacker is leveraging **NTLM hashes** to perform lateral movement or access network shares and services.

#### **Logon Type 9** – **NewCredentials (Remote Desktop, etc.)**:

* **Logon Type 9** is associated with logons that use **new credentials**, such as when a user connects to a system using **Remote Desktop Protocol (RDP)** or **Windows Services**.
* In the context of a **PTH** attack, **Logon Type 9** may be seen when an attacker uses the **Pass-the-Hash** technique to authenticate to a remote system (for example, when accessing a target system via **RDP**, the attacker uses the **NTLM hash** to authenticate without needing the actual password).
* **Type 9** is relevant because it shows that an attacker could use compromised credentials (in the form of a **hash**) to **log on remotely** without needing to provide a password, typical in **PTH** scenarios.

Check For :&#x20;

* Authentication Packages (search For NTLM)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://omar-4.gitbook.io/omar-docs/ecir/event-codes/pass-the-hash/event-id-4624.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.