Detectionlowtest

Outgoing Logon with New Credentials

Detects logon events that specify new credentials

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Max Altgelt (Nextron Systems)Created Wed Apr 06def8b624-e08f-4ae1-8612-1ba21190da6bwindows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4624
        LogonType: 9
    condition: selection

False Positives

Legitimate remote administration activity

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

def8b624-e08f-4ae1-8612-1ba21190da6b

Status

test

Level

low

Type

Detection

Created

Wed Apr 06

Author

Path

rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml

Raw Tags

attack.defense-evasionattack.lateral-movementattack.t1550