Suspicious Remote Logon with Explicit Credentials
Detects suspicious processes logging on with explicit credentials
Sigma rule (View on GitHub)
1title: Suspicious Remote Logon with Explicit Credentials
2id: 941e5c45-cda7-4864-8cea-bbb7458d194a
3status: test
4description: Detects suspicious processes logging on with explicit credentials
5references:
6 - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
7author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton
8date: 2020/10/05
9modified: 2022/08/03
10tags:
11 - attack.t1078
12 - attack.lateral_movement
13logsource:
14 product: windows
15 service: security
16detection:
17 selection:
18 EventID: 4648
19 ProcessName|endswith:
20 - '\cmd.exe'
21 - '\powershell.exe'
22 - '\pwsh.exe'
23 - '\winrs.exe'
24 - '\wmic.exe'
25 - '\net.exe'
26 - '\net1.exe'
27 - '\reg.exe'
28 filter1:
29 TargetServerName: 'localhost'
30 filter2:
31 SubjectUserName|endswith: '$'
32 TargetUserName|endswith: '$'
33 condition: selection and not 1 of filter*
34falsepositives:
35 - Administrators that use the RunAS command or scheduled tasks
36level: medium
References
Related rules
- AWS Suspicious SAML Activity
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow