Detection rules › By event

Microsoft-Windows-Security-Auditing Event ID 4624

96 detection rules reference this event. View event page.

Sigma (29)

Active Directory honeypot used for lateral movement severity high T1021
Admin User Remote Logon severity low T1078, T1078.001, T1078.002, T1078.003
Administrator login impersonation with forged Golden ticket severity high T1558, T1558.001
Anonymous access performed to multiple targets severity high T1046
Anonymous login (RottenPotatoNG) severity high T1134, T1134.001
Azure Windows virtual machine login via serial console severity high T1078
Detection of default a Windows host name in login attempts severity medium T1564, T1564.006
DiagTrackEoP Default Login Username severity critical
Exchange server impersonation via PrivExchange relay attack severity high T1557, T1557.001
External Remote RDP Logon from Public IP severity medium T1078, T1110, T1133
External Remote SMB Logon from Public IP severity high T1078, T1110, T1133
Hacktool Ruler severity high T1059, T1087, T1114, T1550, T1550.002
Metasploit SMB Authentication severity high T1021, T1021.002
Mimikatz Pass-the-hash login severity high T1550, T1550.002
NetSYnc attack severity high T1003, T1003.006
Network login performed to multiple targets severity high T1046, T1078
Outgoing Logon with New Credentials severity low T1550
Pass the Hash Activity 2 severity medium T1550, T1550.002
Potential Access Token Abuse severity medium T1134, T1134.001
Potential Privilege Escalation via Local Kerberos Relay over LDAP severity high T1548
Potential Remote WMI ActiveScriptEventConsumers Activity severity medium T1546, T1546.003
Privilege escalation via runas (command) severity medium T1134, T1134.002
RDP Login from Localhost severity high T1021, T1021.001
RottenPotato Like Attack Pattern severity high T1557, T1557.001
Success login attempt on a Windows OpenSSH server severity medium T1078
Successful Account Login Via WMI severity low T1047
Successful Overpass the Hash Attempt severity high T1550, T1550.002
Suspicious anonymous login (domain specified) severity high T1046
User password change without previous password known - SetNTLM (Mimikatz) severity high T1098

Elastic (11)

Account Password Reset Remotely severity medium T1098, T1531
Multiple Logon Failure Followed by Logon Success severity medium T1110, T1110.001, T1110.003
Potential Account Takeover - Logon from New Source IP severity medium T1078
Potential Account Takeover - Mixed Logon Types severity medium T1078
Potential Computer Account NTLM Relay Activity severity medium T1187, T1557, T1557.001
Potential Kerberos Relay Attack against a Computer Account severity high T1187, T1550, T1557, T1557.001
Potential NTLM Relay Attack against a Computer Account severity high T1187, T1557, T1557.001
Potential Pass-the-Hash (PtH) Attempt severity medium T1550, T1550.002
Process Creation via Secondary Logon severity medium T1134, T1134.002, T1134.003
Remote Windows Service Installed severity medium T1021, T1021.002, T1543, T1543.003, T1569, T1569.002
Service Creation via Local Kerberos Authentication severity high T1543, T1543.003, T1557, T1558

Splunk (20)

Detect Password Spray Attack Behavior From Source severity medium T1110, T1110.003
Detect Password Spray Attack Behavior On User severity medium T1110, T1110.003
Multiple Host logons (Windows Event Log) T1078
Pass-the-Hash (Windows Event Log) T1550, T1550.002
Potential EternalBlue via Metasploit (Windows Event Log) T1021, T1021.002
Potential Exposed SMB_RDP Port - Windows (Windows Event Log) T1190
Potential SMB Activity from External IP - Windows (Windows Event Log) T1190
SecretsDump Credential Harvest (Windows Event Log) T1003, T1003.002
Suspicious Spool Authentication (Windows Event Log) T1557, T1557.001
Unusual Number of Remote Endpoint Authentication Events T1078
Windows AD Domain Controller Promotion severity medium T1207
Windows AD Replication Request Initiated by User Account severity medium T1003, T1003.006
Windows AD Replication Request Initiated from Unsanctioned Location severity medium T1003, T1003.006
Windows AD Short Lived Domain Controller SPN Attribute severity medium T1207
Windows AD Suspicious Attribute Modification severity medium T1222, T1222.001, T1550
Windows Identify PowerShell Web Access IIS Pool T1190
Windows Kerberos Local Successful Logon severity medium T1558
Windows Local Administrator Credential Stuffing severity medium T1110, T1110.004
Windows Rapid Authentication On Multiple Hosts severity medium T1003, T1003.002
Windows RDP Login Session Was Established severity low T1021, T1021.001

Kusto (24)

Brute force attack against user credentials (Uses Authentication Normalization) severity medium T1110
Detect service account login on new device T1021, T1021.001, T1021.002, T1021.003, T1021.006
EatonForeseer - Unauthorized Logins severity high T1078
Failed AzureAD logons but success logon to host severity medium T1078, T1110
Gain Code Execution on ADFS Server via Remote WMI Execution severity medium T1210
Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task severity medium T1210
Multiple RDP connections from Single System severity low T1021
Non Domain Controller Active Directory Replication severity high T1003, T1003.006
NTLM Relay Attack T1187, T1557, T1557.001
Password Spray
Password Spraying severity medium T1110, T1110.003
Potential NTLM Relay Attack to Domain Controller
Potential Password Spray Attack (Uses Authentication Normalization) severity medium T1110
Potential Remote Desktop Tunneling severity medium T1572
Potentially Relayed NTLM Authentication - Microsoft Defender for Endpoint
Potentially Relayed NTLM Authentication - Microsoft Sentinel
Potentially Relayed NTLM Authentication - Microsoft Sentinel
Rare RDP Connections severity medium T1021
RDP Nesting severity medium T1021
SecurityEvent - Multiple authentication failures followed by a success severity low T1110
Service Accounts Performing Remote PS severity high T1210
Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) severity medium T1078, T1098
Starting or Stopping HealthService to Avoid Detection severity medium T1562, T1562.001
User login from different countries within 3 hours (Uses Authentication Normalization) severity high T1078

YARA-L (12)

ADFS DKM Key Access severity high T1552, T1552.004
GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage T1550, T1550.001
GeoIP User Login From Multiple States Or Countries severity low
Logins From Terminated Employees severity medium T1078
MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One severity medium T1110, T1110.001
MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity severity medium T1110, T1110.001
MITRE ATT&CK T1110.003 RW Windows Password Spray severity medium T1110, T1110.003
Okta Multiple Failed Requests To Access Applications severity medium T1550, T1550.004
sap break glass account login severity low T1078
sap impossible travel severity medium T1078
sap multi terminal logon severity medium T1078
Windows Short Term Account Use severity medium

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-Security-Auditing Event ID 4624

Sigma (29)

Elastic (11)

Splunk (20)

Kusto (24)

YARA-L (12)

Keyboard shortcuts

Search operators