From e978acfb5955f7ef61feab6c8b87a4528f977145 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Sun, 12 Jan 2025 06:24:54 +0000
Subject: [PATCH] microblog: 12 Jan 2025

---
 source/_posts/2025-01-12.md | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 source/_posts/2025-01-12.md

diff --git a/source/_posts/2025-01-12.md b/source/_posts/2025-01-12.md
new file mode 100644
index 0000000..1076188
--- /dev/null
+++ b/source/_posts/2025-01-12.md
@@ -0,0 +1,6 @@
+---
+title: Event 5136 does not record logon time
+date: 2025-01-12
+---
+
+Every successful logon is recorded in [Event 4624](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624) but does [not necessarily](https://learn.microsoft.com/en-us/archive/technet-wiki/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate) update the [`lastLogonTimestamp`](https://learn.microsoft.com/en-us/windows/win32/adschema/a-lastlogontimestamp) attribute (nor its human-friendly version `LastLogonDate`). Even when it gets updated (after [`ms-DS-Logon-Time-Sync-Interval`](https://techcommunity.microsoft.com/blog/askds/8220the-lastlogontimestamp-attribute8221-8211-8220what-it-was-designed-for-and-h/396204) minus a random percentage of 5 has passed), [Event 5136](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5136) (a directory service object was modified) will not capture it.