Outgoing Logon with New Credentials
Detects logon events that specify new credentials
Sigma rule (View on GitHub)
1title: Outgoing Logon with New Credentials
2id: def8b624-e08f-4ae1-8612-1ba21190da6b
3status: experimental
4description: Detects logon events that specify new credentials
5references:
6 - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
7author: Max Altgelt (Nextron Systems)
8date: 2022/04/06
9logsource:
10 product: windows
11 service: security
12detection:
13 selection:
14 EventID: 4624
15 LogonType: 9
16 condition: selection
17falsepositives:
18 - Legitimate remote administration activity
19level: low