Detectionmediumtest
Suspicious Remote Logon with Explicit Credentials
Detects suspicious processes logging on with explicit credentials
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
oscd.community, Teymur Kheirkhabarov, Zach Stanford, Tim SheltonCreated Mon Oct 05Updated Wed Aug 03941e5c45-cda7-4864-8cea-bbb7458d194awindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic3 selectors
detection:
selection:
EventID: 4648
ProcessName|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\winrs.exe'
- '\wmic.exe'
- '\net.exe'
- '\net1.exe'
- '\reg.exe'
filter1:
TargetServerName: 'localhost'
filter2:
SubjectUserName|endswith: '$'
TargetUserName|endswith: '$'
condition: selection and not 1 of filter*False Positives
Administrators that use the RunAS command or scheduled tasks
References
MITRE ATT&CK
Rule Metadata
Rule ID
941e5c45-cda7-4864-8cea-bbb7458d194a
Status
test
Level
medium
Type
Detection
Created
Mon Oct 05
Modified
Wed Aug 03
Path
rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.initial-accessattack.defense-evasionattack.t1078attack.lateral-movement