Logon Session

Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization[1]

ID: DS0028
Platforms: Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers: Cloud Control Plane, Host, Network
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.1
Created: 20 October 2021
Last Modified: 07 December 2022

Data Components

Logon Session: Logon Session Creation

Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)

Logon Session: Logon Session Creation

Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)

Domain ID Name Detects
Enterprise T1185 Browser Session Hijacking

Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior.

Enterprise T1538 Cloud Service Dashboard

Monitor for newly constructed logon behavior across cloud service management consoles.[2]

Enterprise T1213 Data from Information Repositories

Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents. [3] Sharepoint audit logging can also be configured to report when a user shares a resource. [4]The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. [5] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

.001 Confluence

Monitor for newly constructed logon behavior across Atlassian's Confluence which can be configured to report access to certain pages and documents through AccessLogFilter. [5] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

.002 Sharepoint

Monitor for newly constructed logon behavior across Microsoft's SharePoint which can be configured to report access to certain pages and documents. [3] As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial.

.003 Code Repositories

Monitor for newly constructed logon behavior across code repositories (e.g. Github) which can be configured to report access to certain pages and documents.

ICS T0811 Data from Information Repositories

Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.[3] Sharepoint audit logging can also be configured to report when a user shares a resource.[4] The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.[5] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

ICS T0812 Default Credentials

Monitor logon sessions for default credential use.

Enterprise T1114 Email Collection

Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).

.002 Remote Email Collection

Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).

Enterprise T1606 Forge Web Credentials

Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts and/or using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[6]. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations. These logins may occur on any on-premises resources as well as from any cloud environment that trusts the credentials.[7]

.001 Web Cookies

Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.

.002 SAML Tokens

Monitor for logins using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[6] These logins may occur on any on-premises resources as well as from any cloud environment that trusts the certificate.[7]

ICS T0823 Graphical User Interface

Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Remote Services may be used to access a host’s GUI.

ICS T0891 Hardcoded Credentials

Monitor logon sessions for hardcoded credential use, when feasible.

Enterprise T1556 Modify Authentication Process

Monitor for newly constructed logon behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.[8]

.001 Domain Controller Authentication

Monitor for newly constructed logon behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.[8]

.003 Pluggable Authentication Modules

Monitor for newly constructed logon behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

.006 Multi-Factor Authentication

Monitor for logon sessions for user accounts and devices that did not require MFA for authentication.

.007 Hybrid Identity

Monitor for discrepancies in authentication to cloud services, such as PTA sign-ins recorded in Azure AD that lack corresponding events in AD.[9]

Enterprise T1621 Multi-Factor Authentication Request Generation

Monitor 2FA/MFA application logs for suspicious events such as rapid login attempts with valid credentials.

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Monitor for newly constructed logon behavior from credentials being accessed by process memory of the LSASS. For example, detect behaviors of Secretsdump against a system, not being a Domain Controller.

Enterprise T1563 Remote Service Session Hijacking

Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.

.001 SSH Hijacking

Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.

.002 RDP Hijacking

Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Windows security log Event ID 4624 (An account was successfully logged on) is generated when a user logs onto a remote machine using RDP.

Correlating logon session creation events with RDP network flows can provide a clearer picture of RDP activity and serve as a useful starting point for investigating suspicious RDP connections.

Enterprise T1021 Remote Services

Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For example, in macOS you can review logs for "screensharingd" and "Authentication" event messages. [10][11]

Note: When using Security event id 4624, %$ means user names that do not end with $ character. Usually, computer accounts or local system accounts names end with the $ character. When using Security event 4624, UserName and UserLogonId correspond to TargetUserName and TargetLogonId respectively. When using Security event 4624, LogonType 3 corresponds to a Network Logon

Analytic 1 - New services being created under network logon sessions by non-system users

remote_logon_sessions = filter Hostname, UserName, UserLogonId, SourceIp where event_id == "4624" AND LogonType == "3" AND UserName NOT LIKE '%$'

new_services = filter UserName, UserLogonId, ServiceName where event_id = "4697"

suspicious_services = filter l.UserName, l.UserLogonId, l.SourceIp, s.ServicenameFROM remote_logon_sessions lINNER JOIN new_services sON l.UserLogonId = s.UserLogonId

.001 Remote Desktop Protocol

Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.

Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.

Analytic

filtered_logons = filter logon_events where ( (event_id = "4624") AND user NOT IN TOP30(user))

.002 SMB/Windows Admin Shares

Monitor for logon behavior (ex: EID 4624 Logon Type 3) using Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. [12][13]

.004 SSH

Monitor for user accounts logged into systems that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on Linux systems SSH logon activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.

For Linux systems, the Audit framework (auditd) can be used to monitor any writes to SSH log files that store information about logged in accounts such as /var/log/auth.log.

For macOS systems (10.12+), Unified Logs can be queried to show SSH daemon (sshd) messages that include information on logged in accounts. The following command-line can be used to query the last hour’s worth of unified logs in this manner: log show -info --debug --predicate 'processImagePath CONTAINS "sshd" AND eventMessage CONTAINS "Accepted"' --last 1h | grep sshd

.005 VNC

Monitor for user accounts logged into systems that may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). For example, on macOS systems log show --predicate 'process = "screensharingd" and eventMessage contains "Authentication:"' can be used to review incoming VNC connection attempts for suspicious activity.[11]

.006 Windows Remote Management

Monitor for user accounts logging into the system via Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

.007 Cloud Services

Monitor for newly constructed logon behavior to cloud services. For example, in Azure AD, consider using Identity Protection to monitor for suspicious login behaviors to cloud resources. [14]

.008 Direct Cloud VM Connections

Monitor cloud audit logs and host logs for logon session events. These can be found in CloudTrail, Unified Audit Logs, Windows Event Logs and /var/log/auth.log or /var/log/secure for Linux systems.

ICS T0886 Remote Services

Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For added context on adversary procedures and background see Remote Services and applicable sub-techniques.

Enterprise T1649 Steal or Forge Authentication Certificates

Monitor certificate-based authentication events, such as EID 4768 when an AD CS certificate is used for Kerberos authentication (especially those that don’t correspond to legitimately issued certificates) or when Secure Channel (Schannel, associated with SSL/TLS) is highlighted as the Logon Process associated with an EID 4624 logon event.[15]

Enterprise T1199 Trusted Relationship

Monitor for newly constructed logon behavior that may breach or otherwise leverage organizations who have access to intended victims.

Enterprise T1550 Use Alternate Authentication Material

Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

.002 Pass the Hash

Monitor newly created logons and credentials used in events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.

Note: Analytic Event ID is for Windows Security Log (Event ID 4624 - An account was successfully logged on). The successful use of Pass the Hash for lateral movement between workstations would trigger Event ID 4624, with an event level of Information, from the Windows Security log. This event would show an account logon with a LogonType of 3 using NTLM authentication, a logon that is not a domain logon, and the user account not being the ANONYMOUS LOGON account.

Analytic 1

logons = filter log_events where (event_id== "4624" AND target_user_name != "ANONYMOUS LOGON" ANDauthentication_package_name == "NTLM")

.003 Pass the Ticket

Monitor for newly constructed logon behavior that may "pass the ticket" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls.

Enterprise T1078 Valid Accounts

Monitor for newly constructed logon behavior that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

.001 Default Accounts

Monitor for newly constructed logon behavior across default accounts that have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.

.002 Domain Accounts

Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

A remote desktop logon, through Remote Desktop Protocol, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page.

Analytic 1 - Remote Desktop Logon

suspicious_netconn = filter network_connections where (event_id = "4624" AND AuthenticationPackageName = 'Negotiate' AND Severity = "Information" AND logon_type = "10")

Analytic 2 - Simultaneous Logins on a Host

users_grouped = group users_list by hostnameusers_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_countmultiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1)

.003 Local Accounts

Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

A remote desktop logon, through Remote Desktop Protocol, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page.

Analytic 1 - Remote Desktop Logon

suspicious_netconn = filter network_connections where (event_id = "4624" AND AuthenticationPackageName = 'Negotiate' AND Severity = "Information" AND logon_type = "10")

Analytic 2 - Simultaneous Logins on a Host

users_grouped = group users_list by hostnameusers_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_countmultiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1)

.004 Cloud Accounts

Monitor for suspicious account behavior across cloud services that share account.

ICS T0859 Valid Accounts

Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

ICS T0860 Wireless Compromise

Monitor login sessions for new or unexpected devices or sessions on wireless networks.

Logon Session: Logon Session Metadata

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

Logon Session: Logon Session Metadata

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

Domain ID Name Detects
Enterprise T1133 External Remote Services

Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.

ICS T0822 External Remote Services

Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of Valid Accounts.

Enterprise T1606 .002 Forge Web Credentials: SAML Tokens

Consider modifying SAML responses to include custom elements for each service provider. Monitor these custom elements in service provider access logs to detect any anomalous requests.[6]

ICS T0883 Internet Accessible Device

Monitor logon activity for unexpected or unusual access to devices from the Internet.

Enterprise T1621 Multi-Factor Authentication Request Generation

Monitor 2FA/MFA application logs for suspicious events such as unusual login attempt source location, mismatch in location of login attempt and smart device approving 2FA/MFA request prompts.

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Monitor authentication logs and analyze for unusual access patterns. A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

Analytic

suspicious_logon = filter logons where (event_id = "4624" AND AuthenticationPackageName = 'Negotiate' AND Severity = "Information" AND logon_type = "10")

Enterprise T1558 Steal or Forge Kerberos Tickets

Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).[16] [17]

.001 Golden Ticket

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672). Correlate other security systems with login information (e.g., a user has the KRBTGT account password hash and forges Kerberos ticket-granting tickets).

.002 Silver Ticket

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).

Enterprise T1199 Trusted Relationship

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

Enterprise T1078 Valid Accounts

Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

.002 Domain Accounts

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

.003 Local Accounts

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

.004 Cloud Accounts

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

ICS T0859 Valid Accounts

Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

References