Windows Event ID 4647 – Microsoft-Windows-Security-Auditing: User Initiated Logoff

Start by examining the event details to understand the logoff context and user information.

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4647 by right-clicking the Security log and selecting Filter Current Log
4. Enter 4647 in the Event IDs field and click OK
5. Double-click on a 4647 event to view detailed information including:
   • Subject: User account that initiated the logoff
   • Logon ID: Unique identifier linking to the original logon event
   • Logon Type: Method used for the original logon (2=Interactive, 3=Network, 10=RemoteInteractive)
6. Note the timestamp and correlate with any security incidents or user reports

Use PowerShell to efficiently query and analyze Event ID 4647 occurrences across specific timeframes.

1. Open PowerShell as Administrator
2. Query recent logoff events with basic filtering:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4647} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

3. Filter events for specific users or timeframes:

   # Filter by specific user
   $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4647; StartTime=(Get-Date).AddDays(-7)}
   $Events | Where-Object {$_.Message -like "*username*"} | Format-List TimeCreated, Message

4. Extract detailed information from event properties:

   # Parse event details
   $LogoffEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4647} -MaxEvents 20
   foreach ($Event in $LogoffEvents) {
       $EventXML = [xml]$Event.ToXml()
       $SubjectUserName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
       $LogonId = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectLogonId'} | Select-Object -ExpandProperty '#text'
       Write-Output "Time: $($Event.TimeCreated) | User: $SubjectUserName | Logon ID: $LogonId"
   }

5. Export results for further analysis:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4647; StartTime=(Get-Date).AddDays(-30)} | Export-Csv -Path "C:\Temp\Logoff_Events.csv" -NoTypeInformation

Match Event ID 4647 with corresponding logon events to analyze session patterns and identify anomalies.

1. Create a PowerShell script to correlate logon (4624) and logoff (4647) events:

   # Get logon and logoff events from the last 24 hours
   $StartTime = (Get-Date).AddDays(-1)
   $LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=$StartTime}
   $LogoffEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4647; StartTime=$StartTime}
   
   # Create correlation table
   $SessionData = @()
   foreach ($LogoffEvent in $LogoffEvents) {
       $LogoffXML = [xml]$LogoffEvent.ToXml()
       $LogonId = $LogoffXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectLogonId'} | Select-Object -ExpandProperty '#text'
       $UserName = $LogoffXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
       
       # Find matching logon event
       $MatchingLogon = $LogonEvents | Where-Object {
           $LogonXML = [xml]$_.ToXml()
           $LogonLogonId = $LogonXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectLogonId'} | Select-Object -ExpandProperty '#text'
           $LogonLogonId -eq $LogonId
       } | Select-Object -First 1
       
       if ($MatchingLogon) {
           $SessionDuration = $LogoffEvent.TimeCreated - $MatchingLogon.TimeCreated
           $SessionData += [PSCustomObject]@{
               User = $UserName
               LogonTime = $MatchingLogon.TimeCreated
               LogoffTime = $LogoffEvent.TimeCreated
               Duration = $SessionDuration.ToString()
               LogonId = $LogonId
           }
       }
   }
   
   $SessionData | Format-Table -AutoSize

2. Identify unusual session patterns such as very short or very long sessions
3. Look for logoff events without corresponding logon events, which might indicate log tampering

Ensure proper audit policy configuration to capture all relevant logoff events and optimize logging settings.

1. Check current audit policy settings:

   auditpol /get /category:"Logon/Logoff"

2. Enable detailed logon/logoff auditing if not already configured:

   # Enable logoff auditing
   auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
   
   # Verify the setting
   auditpol /get /subcategory:"Logoff"

3. Configure Group Policy for enterprise environments:
   • Open Group Policy Management Console
   • Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration
   • Expand Audit Policies → Logon/Logoff
   • Configure Audit Logoff to Success and Failure
4. Set Security log size to accommodate increased logging:

   # Increase Security log size to 100MB
   wevtutil sl Security /ms:104857600

5. Configure log retention policy in registry:

   # Set log retention (1 = overwrite as needed, 0 = overwrite events older than X days)
   Set-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name "Retention" -Value 0
   Set-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name "AutoBackupLogFiles" -Value 1

Set up automated monitoring for Event ID 4647 to detect unusual logoff patterns or security incidents.

1. Create a PowerShell script for continuous monitoring:

   # Monitor-LogoffEvents.ps1
   param(
       [int]$CheckIntervalMinutes = 5,
       [string]$LogPath = "C:\Logs\LogoffMonitoring.log"
   )
   
   $LastCheck = (Get-Date).AddMinutes(-$CheckIntervalMinutes)
   
   while ($true) {
       $NewLogoffs = Get-WinEvent -FilterHashtable @{
           LogName='Security'
           Id=4647
           StartTime=$LastCheck
       } -ErrorAction SilentlyContinue
       
       foreach ($Event in $NewLogoffs) {
           $EventXML = [xml]$Event.ToXml()
           $UserName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
           $Domain = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectDomainName'} | Select-Object -ExpandProperty '#text'
           
           $LogEntry = "$(Get-Date): User logoff detected - $Domain\$UserName at $($Event.TimeCreated)"
           Add-Content -Path $LogPath -Value $LogEntry
           
           # Add alerting logic here (email, SIEM integration, etc.)
           # Example: Send alert for after-hours logoffs
           $Hour = $Event.TimeCreated.Hour
           if ($Hour -lt 6 -or $Hour -gt 22) {
               Write-Warning "After-hours logoff detected: $Domain\$UserName"
           }
       }
       
       $LastCheck = Get-Date
       Start-Sleep -Seconds ($CheckIntervalMinutes * 60)
   }

2. Schedule the monitoring script as a Windows service or scheduled task
3. Configure Windows Event Forwarding (WEF) for centralized logging:
   • Set up a Windows Event Collector server
   • Configure source computers to forward Event ID 4647
   • Create custom views and subscriptions for logoff events
4. Integrate with SIEM solutions using Windows Event Log forwarding or agents
5. Set up custom Event Viewer tasks to trigger on Event ID 4647:
   • In Event Viewer, right-click on a 4647 event
   • Select Attach Task To This Event
   • Configure automated responses such as running scripts or sending notifications