| Connectionmethod | Logon type | Reusable credentials on destination | Comments |
|---|---|---|---|
| Log on at console | Interactive | v | Includes hardware remote access / lights-out cards and network KVMs. |
| RUNAS | Interactive | v | |
| RUNAS /NETWORK | NewCredentials | v | Clones current LSA session for local access, but uses new credentials when connecting to network resources. |
| Remote Desktop (success) | RemoteInteractive | v | If the remote desktop client is configured to share local devices and resources, those may be compromised as well. |
| Remote Desktop (failure - logon type was denied) | RemoteInteractive | - | By default, if RDP logon fails credentials are only stored very briefly. This may not be the case if the computer is compromised. |
| Net use * \\SERVER | Network | - | |
| Net use * \\SERVER /u:user | Network | - | |
| MMC snap-ins to remote computer | Network | - | Example: Computer Management, Event Viewer, Device Manager, Services |
| PowerShell WinRM | Network | - | Example: Enter-PSSession server |
| PowerShell WinRM with CredSSP | NetworkClearText | v | New-PSSession server-Authentication Credssp-Credential cred |
| PsExec without explicit creds | Network | - | Example: PsExec \\server cmd |
| PsExec with explicit creds | Network + Interactive | v | PsExec \\server -u user -p pwd cmdCreates multiple logon sessions. |
| Remote Registry | Network | - | |
| Remote Desktop Gateway | Network | - | Authenticating to Remote Desktop Gateway. |
| Scheduled task | Batch | v | Password will also be saved as LSA secret on disk. |
| Run tools as a service | Service | v | Password will also be saved as LSA secret on disk. |
| Vulnerability scanners | Network | - | Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk. |
| IIS "Basic Authentication" | NetworkCleartext(IIS 6.0+)Interactive(prior to IIS 6.0) | v | |
| IIS "Integrated Windows Authentication" | Network | - | NTLM and Kerberos Providers. |
| Logon type | # | Authenticators accepted | Reusable credentials in LSA session | Examples |
|---|---|---|---|---|
| Interactive (a.k.a., Logon locally) | 2 | Password, Smartcard,other | Yes | Console logon;RUNAS;Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)IIS Basic Auth (before IIS 6.0) |
| Network | 3 | Password,NT Hash,Kerberos ticket | No (except if delegation is enabled, then Kerberos tickets present) | NET USE;RPC calls;Remote registry;IIS integrated Windows auth;SQL Windows auth; |
| Batch | 4 | Password (usually stored as LSA secret) | Yes | Scheduled tasks |
| Service | 5 | Password (usually stored as LSA secret) | Yes | Windows services |
| NetworkCleartext | 8 | Password | Yes | IIS Basic Auth (IIS 6.0 and newer);Windows PowerShell with CredSSP |
| NewCredentials | 9 | Password | Yes | RUNAS /NETWORK |
| RemoteInteractive | 10 | Password, Smartcard,other | Yes | Remote Desktop (formerly known as "Terminal Services") |