detection.wiki

Detection rules › Sigma

Admin User Remote Logon

Status
test
Severity
low
Log source
product windows, service security
Author
juju4
Source
github.com/SigmaHQ/sigma

Detect remote login by Administrator user (depending on internal pattern).

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078.001 Valid Accounts: Default Accounts, T1078.002 Valid Accounts: Domain Accounts, T1078.003 Valid Accounts: Local Accounts
PersistenceT1078.001 Valid Accounts: Default Accounts, T1078.002 Valid Accounts: Domain Accounts, T1078.003 Valid Accounts: Local Accounts
Privilege EscalationT1078.001 Valid Accounts: Default Accounts, T1078.002 Valid Accounts: Domain Accounts, T1078.003 Valid Accounts: Local Accounts
StealthT1078.001 Valid Accounts: Default Accounts, T1078.002 Valid Accounts: Domain Accounts, T1078.003 Valid Accounts: Local Accounts

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 4624An account was successfully logged on.

Rule body yaml

title: Admin User Remote Logon
id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
status: test
description: Detect remote login by Administrator user (depending on internal pattern).
references:
    - https://car.mitre.org/wiki/CAR-2016-04-005
author: juju4
date: 2017-10-29
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.lateral-movement
    - attack.initial-access
    - attack.stealth
    - attack.t1078.001
    - attack.t1078.002
    - attack.t1078.003
    - car.2016-04-005
logsource:
    product: windows
    service: security
    definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
detection:
    selection:
        EventID: 4624
        LogonType: 10
        AuthenticationPackageName: Negotiate
        TargetUserName|startswith: 'Admin'
    condition: selection
falsepositives:
    - Legitimate administrative activity.
level: low

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    EventID: 4624
    LogonType: 10
    AuthenticationPackageName: Negotiate
    TargetUserName|startswith: 'Admin'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AuthenticationPackageNameeq
  • Negotiate corpus 4 (sigma 4)
LogonTypeeq
  • 10 corpus 8 (kusto 4, sigma 3, splunk 1)
TargetUserNamestarts_with
  • Admin