Logon Session

Monitor for newly constructed logon behavior across Atlassian's Confluence which can be configured to report access to certain pages and documents through AccessLogFilter. ^[5] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

Monitor for newly constructed logon behavior across Microsoft's SharePoint which can be configured to report access to certain pages and documents. ^[3] As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial.

Analytic 1 - Suspicious actor IPs, unusual user agents (e.g., malware, scripting interpreters like PowerShell, Python), anomalous login times

index="azure_ad_signin_logs" Resource="Office 365 SharePoint Online" AND (UserAgent="PowerShell" OR UserAgent="Mozilla")| stats count by UserAgent, UserID, IPAddress, Location| where IPAddress!="expected_ip" OR Location!="expected_location"

Monitor for newly constructed logon behavior across code repositories (e.g. Github) which can be configured to report access to certain pages and documents.

Monitor for newly constructed logon behavior across the CRM software which can be configured to report access to certain information. As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial.

Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).

Analytic 1 - Suspicious actor IPs, unusual user agents (e.g., malware, scripting interpreters like PowerShell, Python), anomalous login times

Note: To detect suspicious logon session creation activities related to remote email collection.

index="azure_ad_signin_logs" Resource="Office 365 Exchange Online" AND (UserAgent="PowerShell" OR UserAgent="AADInternals")| stats count by UserAgent, UserID, IPAddress, Location| where IPAddress!="expected_ip" OR Location!="expected_location"

Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.

Monitor for logins using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.^[7] These logins may occur on any on-premises resources as well as from any cloud environment that trusts the certificate.^[8]

Monitor for newly constructed logon behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.^[9]

Analytic 1 - Unusual logon patterns and times.

index=windows sourcetype="WinEventLog:Security" ( (EventCode=4624 OR EventCode=4768) AND Logon_Type=3 AND NOT [search index=windows sourcetype="WinEventLog:Security" EventCode=4768 | stats count by Account_Name | where count < 10 | fields Account_Name])

Monitor for newly constructed logon behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

Analytic 1 - Unusual logon patterns and times.

index=linux_logs OR index=macos_logs(source="/var/log/secure" OR source="/var/log/auth.log" OR source="/var/log/system.log")("session opened" OR "session closed")| eval is_normal_hours=if(hour(_time) >= 8 AND hour(_time) <= 18, 1, 0)| search NOT [search index=linux_logs OR index=macos_logs (source="/etc/pam.d/*" OR source="/etc/passwd" OR source="/etc/shadow") action=modified | fields user]

Monitor for logon sessions for user accounts and devices that did not require MFA for authentication.

Analytic 1 - Successful logons without MFA.

index=security sourcetype="azure:eventhub" OR sourcetype="o365:management:activity" OR sourcetype="gsuite:reports:admin" OR sourcetype="linux_secure" OR sourcetype="WinEventLog:Security" (EventID="4624" OR EventID="4648" OR EventID="AuthenticationSuccess" OR EventCode IN ("4104", "552", "1200") OR EventName="UserLoggedIn" OR action="login_success")| eval MFA_used = case( isnotnull('AdditionalProperties.MFARequired') AND AdditionalProperties.MFARequired="true", "MFA", isnotnull('AdditionalProperties.MFAStatus') AND AdditionalProperties.MFAStatus="success", "MFA", isnotnull('AdditionalProperties.MFA') AND AdditionalProperties.MFA="success", "MFA", isnotnull('AuthenticationMethod') AND AuthenticationMethod IN ("MFA", "TOTP", "U2F", "Push Notification"), "MFA", isnotnull('MultiFactorUsed') AND MultiFactorUsed="Yes", "MFA", 1==1, "No MFA")| search MFA_used="No MFA"

Monitor for discrepancies in authentication to cloud services, such as PTA sign-ins recorded in Entra ID that lack corresponding events in AD.^[10]

Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.

Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Windows security log Event ID 4624 (An account was successfully logged on) is generated when a user logs onto a remote machine using RDP.

Correlating logon session creation events with RDP network flows can provide a clearer picture of RDP activity and serve as a useful starting point for investigating suspicious RDP connections.

Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.

Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.

Note: This analytic looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events. This is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out.

Analytic 1

sourcetype="WinEventLog:Security" EventCode IN (4624, 4634, 4647, 4778, 4779)| search LogonType=10 // RDP Interactive Logon| eval is_suspicious=if((user!="expected_users") AND (dest_ip!="expected_servers"), "True", "False")| where is_suspicious="True"

Monitor for logon behavior (ex: EID 4624 Logon Type 3) using Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. ^[13][14]

Monitor for user accounts logged into systems that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on Linux systems SSH logon activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.

For Linux systems, the Audit framework (auditd) can be used to monitor any writes to SSH log files that store information about logged in accounts such as /var/log/auth.log.

For macOS systems (10.12+), Unified Logs can be queried to show SSH daemon (sshd) messages that include information on logged in accounts. The following command-line can be used to query the last hour’s worth of unified logs in this manner: log show -info --debug --predicate 'processImagePath CONTAINS "sshd" AND eventMessage CONTAINS "Accepted"' --last 1h | grep sshd

Monitor for user accounts logged into systems that may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). For example, on macOS systems log show --predicate 'process = "screensharingd" and eventMessage contains "Authentication:"' can be used to review incoming VNC connection attempts for suspicious activity.^[12]

Monitor for user accounts logging into the system via Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Monitor for newly constructed logon behavior to cloud services. For example, in Azure AD, consider using Identity Protection to monitor for suspicious login behaviors to cloud resources. ^[15]

Monitor cloud audit logs and host logs for logon session events. These can be found in CloudTrail, Unified Audit Logs, Windows Event Logs and /var/log/auth.log or /var/log/secure for Linux systems.

Monitor newly created logons and credentials used in events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.

Note: Analytic Event ID is for Windows Security Log (Event ID 4624 - An account was successfully logged on). The successful use of Pass the Hash for lateral movement between workstations would trigger Event ID 4624, with an event level of Information, from the Windows Security log. This event would show an account logon with a LogonType of 3 using NTLM authentication, a logon that is not a domain logon, and the user account not being the ANONYMOUS LOGON account.

Analytic 1 - Successful Local Account Login

(sourcetype="WinEventLog:Security" EventCode="4624") LogonType=3 AND AuthenticationPackageName="NTLM" AND TargetUser != "ANONYMOUS LOGON"

Monitor for newly constructed logon behavior that may "pass the ticket" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls.

Monitor for newly constructed logon behavior across default accounts that have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.

Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

A remote desktop logon, through Remote Desktop Protocol, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page.

Analytic 1 - Remote Desktop Logon

(source="*WinEventLog:Security" EventCode="4624") AuthenticationPackageName= "Negotiate" AND Severity= "Information" AND logon_type= "10"

Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

A remote desktop logon, through Remote Desktop Protocol, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page.

Analytic 1 - Remote Desktop Logon

(source="*WinEventLog:Security" EventCode="4624") AuthenticationPackageName= "Negotiate" AND Severity= "Information" AND logon_type= "10"

Monitor for suspicious account behavior across cloud services that share account.

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672). Correlate other security systems with login information (e.g., a user has the KRBTGT account password hash and forges Kerberos ticket-granting tickets).

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).