Detectionlowtest

Admin User Remote Logon

Detect remote login by Administrator user (depending on internal pattern).

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

juju4Created Sun Oct 29Updated Sun Oct 090f63e1ef-1eb9-4226-9d54-8927ca08520awindows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account

Detection Logic

detection:
    selection:
        EventID: 4624
        LogonType: 10
        AuthenticationPackageName: Negotiate
        TargetUserName|startswith: 'Admin'
    condition: selection

False Positives

Legitimate administrative activity.

References

Resolving title…

car.mitre.org

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion TA0008 · Lateral Movement TA0001 · Initial Access

Sub-techniques

T1078.001 · Default Accounts T1078.002 · Domain Accounts T1078.003 · Local Accounts

CAR Analytics

2016-04-005 · CAR 2016-04-005

Rule Metadata

Rule ID

0f63e1ef-1eb9-4226-9d54-8927ca08520a

Status

test

Level

low

Type

Detection

Created

Sun Oct 29

Modified

Sun Oct 09

Author

juju4

Path

rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.lateral-movementattack.initial-accessattack.t1078.001attack.t1078.002attack.t1078.003car.2016-04-005

View on GitHub