Logon Session

Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization[1]

ID: DS0028
Platforms: Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers: Cloud Control Plane, Host, Network
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.1
Created: 20 October 2021
Last Modified: 21 October 2022

Data Components

Logon Session: Logon Session Creation

Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)

Logon Session: Logon Session Creation

Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)

Domain ID Name Detects
Enterprise T1185 Browser Session Hijacking

Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior.

Enterprise T1538 Cloud Service Dashboard

Monitor for newly constructed logon behavior across cloud service management consoles.

Enterprise T1213 Data from Information Repositories

Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents. [2] Sharepoint audit logging can also be configured to report when a user shares a resource. [3]The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. [4] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

.001 Confluence

Monitor for newly constructed logon behavior across Atlassian's Confluence which can be configured to report access to certain pages and documents through AccessLogFilter. [4] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

.002 Sharepoint

Monitor for newly constructed logon behavior across Microsoft's SharePoint which can be configured to report access to certain pages and documents. [2] As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial.

.003 Code Repositories

Monitor for newly constructed logon behavior across code repositories (e.g. Github) which can be configured to report access to certain pages and documents.

ICS T0811 Data from Information Repositories

In the case of detecting collection from centralized information repositories monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.[2] Sharepoint audit logging can also be configured to report when a user shares a resource.[3] The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.[4] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. For added context on adversary procedures and background see Data from Information Repositories.

ICS T0812 Default Credentials

Monitor logon sessions for default credential use.

Enterprise T1114 Email Collection

Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).

.002 Remote Email Collection

Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).

Enterprise T1606 Forge Web Credentials

Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts and/or using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[5]. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations. These logins may occur on any on-premises resources as well as from any cloud environment that trusts the credentials.[6]

.001 Web Cookies

Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.

.002 SAML Tokens

Monitor for logins using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[5] These logins may occur on any on-premises resources as well as from any cloud environment that trusts the certificate.[6]

ICS T0823 Graphical User Interface

Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Remote Services may be used to access a host’s GUI.

ICS T0891 Hardcoded Credentials

Monitor logon sessions for hardcoded credential use, when feasible.

Enterprise T1556 Modify Authentication Process

Monitor for newly constructed logon behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.[7]

.001 Domain Controller Authentication

Monitor for newly constructed logon behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.[7]

.003 Pluggable Authentication Modules

Monitor for newly constructed logon behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

.006 Multi-Factor Authentication

Monitor for logon sessions for user accounts and devices that did not require MFA for authentication.

.007 Hybrid Identity

Monitor for discrepancies in authentication to cloud services, such as PTA sign-ins recorded in Azure AD that lack corresponding events in AD.[8]

Enterprise T1621 Multi-Factor Authentication Request Generation

Monitor 2FA/MFA application logs for suspicious events such as rapid login attempts with valid credentials.

Enterprise T1563 Remote Service Session Hijacking

Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.

.001 SSH Hijacking

Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.

.002 RDP Hijacking

Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

Enterprise T1021 Remote Services

Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For example, in macOS you can review logs for "screensharingd" and "Authentication" event messages. [9][10]

.001 Remote Desktop Protocol

Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

.002 SMB/Windows Admin Shares

Monitor for logon behavior (ex: EID 4624 Logon Type 3) using Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. [11][12]

.004 SSH

Monitor for user accounts logged into systems that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on Linux systems SSH logon activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.

.005 VNC

Monitor for user accounts logged into systems that may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). For example, on macOS systems log show --predicate 'process = "screensharingd" and eventMessage contains "Authentication:"' can be used to review incoming VNC connection attempts for suspicious activity.[10]

.006 Windows Remote Management

Monitor for user accounts logging into the system via Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

ICS T0886 Remote Services

Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For added context on adversary procedures and background see Remote Services and applicable sub-techniques.

Enterprise T1649 Steal or Forge Authentication Certificates

Monitor certificate-based authentication events, such as EID 4768 when an AD CS certificate is used for Kerberos authentication (especially those that don’t correspond to legitimately issued certificates) or when Secure Channel (Schannel, associated with SSL/TLS) is highlighted as the Logon Process associated with an EID 4624 logon event.[13]

Enterprise T1199 Trusted Relationship

Monitor for newly constructed logon behavior that may breach or otherwise leverage organizations who have access to intended victims.

Enterprise T1550 Use Alternate Authentication Material

Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

.002 Pass the Hash

Monitor newly created logons and credentials used in events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.

.003 Pass the Ticket

Monitor for newly constructed logon behavior that may "pass the ticket" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls.

Enterprise T1078 Valid Accounts

Monitor for newly constructed logon behavior that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

.001 Default Accounts

Monitor for newly constructed logon behavior across default accounts that have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.

.002 Domain Accounts

Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

.003 Local Accounts

Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

.004 Cloud Accounts

Monitor for suspicious account behavior across cloud services that share account.

ICS T0859 Valid Accounts

Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

ICS T0860 Wireless Compromise

Monitor login sessions for new or unexpected devices or sessions on wireless networks.

Logon Session: Logon Session Metadata

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

Logon Session: Logon Session Metadata

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

Domain ID Name Detects
Enterprise T1133 External Remote Services

Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.

ICS T0822 External Remote Services

Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of Valid Accounts.

Enterprise T1606 .002 Forge Web Credentials: SAML Tokens

Consider modifying SAML responses to include custom elements for each service provider. Monitor these custom elements in service provider access logs to detect any anomalous requests.[5]

ICS T0883 Internet Accessible Device

Monitor logon activity for unexpected or unusual access to devices from the Internet.

Enterprise T1621 Multi-Factor Authentication Request Generation

Monitor 2FA/MFA application logs for suspicious events such as unusual login attempt source location, mismatch in location of login attempt and smart device approving 2FA/MFA request prompts.

Enterprise T1558 Steal or Forge Kerberos Tickets

Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).[14] [15]

.001 Golden Ticket

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672). Correlate other security systems with login information (e.g., a user has the KRBTGT account password hash and forges Kerberos ticket-granting tickets).

.002 Silver Ticket

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).

Enterprise T1199 Trusted Relationship

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

Enterprise T1078 Valid Accounts

Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

.002 Domain Accounts

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

.003 Local Accounts

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

.004 Cloud Accounts

Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

ICS T0859 Valid Accounts

Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

References