A process creates a brand‑new logon session/token (LogonUser/LsaLogonUser) and then assigns/impersonates it (SetThreadToken/ImpersonateLoggedOnUser) to run actions under that freshly created security context. Chain: (1) suspicious command or script block (e.g., runas /netonly, PowerShell P/Invoke of LogonUser) → (2) ETW/API evidence of LogonUser/SetThreadToken → (3) Security 4624 New Logon (often LogonType=9 NewCredentials or 2/3 from a non‑interactive parent) with no interactive desktop → (4) sysmon 1 process(es) executing with the new LogonId/SID different from the parent process → (5) optional privileged ops/lateral movement.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4624,4672 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-Security-Auditing | api_call: LogonUser(A|W), LsaLogonUser, SetThreadToken, ImpersonateLoggedOnUser |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between LogonUser*/SetThreadToken and the first spawned process (default 5–10 minutes). |
| SuspiciousLogonTypes | Which 4624 LogonTypes to treat as high risk (e.g., 9 NewCredentials, 3 Network when sourced locally). |
| AllowedImpersonators | Processes/accounts legitimately creating tokens (e.g., winlogon.exe, lsass.exe, IIS worker, trusted service accounts). |
| ParentChildUserMismatch | Whether to alert on any SID/LogonId mismatch between parent/child not in allow-list. |
| IntegrityEscalationDelta | Minimum integrity level jump (e.g., Medium→High/System) to raise severity. |