Detection of suspicious logon behavior using valid domain accounts across multiple hosts, off-hours, or simultaneous sessions from geographically distant locations.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4624, 4625, 4768, 4769 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| TimeWindow | Tune for detection of off-hours or abnormal logon spikes. |
| UserContext | Scope to sensitive domain accounts (e.g., Domain Admins). |
| LogonType | Distinguish between interactive, service, and network logons. |
Use of domain accounts via sssd or winbind for logon activity outside of typical patterns, especially on sensitive systems or with lateral movement tools.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | auditd:SYSCALL | pam_authenticate, sshd |
| Logon Session Metadata (DC0088) | linux:syslog | sssd / sudo logs |
| Field | Description |
|---|---|
| HostnameScope | Filter to high-value systems (e.g., domain-joined servers). |
| AccountDomain | Identify trusted domains versus external or misconfigured domains. |
Domain logins using network accounts or mobile accounts via Open Directory or Active Directory plugins, especially outside business hours or on atypical endpoints.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | macos:unifiedlog | log show --predicate 'eventMessage contains "Authentication"' |
| Field | Description |
|---|---|
| UserLocation | Geo-IP or VPN source context for abnormal remote access. |
| LogonMethod | Control for expected services (e.g., GUI login vs. SSH). |
Login to vSphere or ESXi hosts using domain accounts, especially those associated with vpxuser or unexpected group memberships.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | esxi:vpxd | /var/log/vmware/vpxd.log |
| Logon Session Metadata (DC0088) | esxi:hostd | /var/log/hostd.log |
| Field | Description |
|---|---|
| AccountType | Prioritize detection on accounts with elevated access. |
| LoginInterface | Distinguish interactive UI login from API or SSH access. |