Outgoing Logon with New Credentials

Detects logon events that specify new credentials

Sigma rule (View on GitHub)

 1title: Outgoing Logon with New Credentials
 2id: def8b624-e08f-4ae1-8612-1ba21190da6b
 3status: experimental
 4description: Detects logon events that specify new credentials
 5references:
 6    - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
 7author: Max Altgelt (Nextron Systems)
 8date: 2022/04/06
 9logsource:
10    product: windows
11    service: security
12detection:
13    selection:
14        EventID: 4624
15        LogonType: 9
16    condition: selection
17falsepositives:
18    - Legitimate remote administration activity
19level: low
to-top