Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorizaton[1]
Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)
Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1185 | Browser Session Hijacking |
Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. |
|
| Enterprise | T1538 | Cloud Service Dashboard |
Monitor for newly constructed logon behavior across cloud service management consoles. |
|
| Enterprise | T1213 | Data from Information Repositories |
Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents. [2] Sharepoint audit logging can also be configured to report when a user shares a resource. [3]The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. [4] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. |
|
| .001 | Confluence |
Monitor for newly constructed logon behavior across Atlassian's Confluence which can be configured to report access to certain pages and documents through AccessLogFilter. [4] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. |
||
| .002 | Sharepoint |
Monitor for newly constructed logon behavior across Microsoft's SharePoint which can be configured to report access to certain pages and documents. [2] As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. |
||
| .003 | Code Repositories |
Monitor for newly constructed logon behavior across code repositories (e.g. Github) which can be configured to report access to certain pages and documents. |
||
| Enterprise | T1114 | Email Collection |
Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account). |
|
| .002 | Remote Email Collection |
Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account). |
||
| Enterprise | T1606 | Forge Web Credentials |
Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts and/or using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[5]. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations. These logins may occur on any on-premises resources as well as from any cloud environment that trusts the credentials.[6] |
|
| .001 | Web Cookies |
Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations. |
||
| .002 | SAML Tokens |
Monitor for logins using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[5] These logins may occur on any on-premises resources as well as from any cloud environment that trusts the certificate.[6] |
||
| Enterprise | T1556 | Modify Authentication Process |
Monitor for newly constructed logon behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.[7] |
|
| .001 | Domain Controller Authentication |
Monitor for newly constructed logon behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.[7] |
||
| .003 | Pluggable Authentication Modules |
Monitor for newly constructed logon behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). |
||
| Enterprise | T1621 | Multi-Factor Authentication Request Generation |
Monitor 2FA/MFA application logs for suspicious events such as rapid login attempts with valid credentials. |
|
| Enterprise | T1563 | Remote Service Session Hijacking |
Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. |
|
| .001 | SSH Hijacking |
Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users. |
||
| .002 | RDP Hijacking |
Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. |
||
| Enterprise | T1021 | Remote Services |
Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For example, in macOS you can review logs for "screensharingd" and "Authentication" event messages. [8][9] |
|
| .001 | Remote Desktop Protocol |
Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. |
||
| .002 | SMB/Windows Admin Shares |
Monitor for logon behavior (ex: EID 4624 Logon Type 3) using Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. [10][11] |
||
| .004 | SSH |
Monitor for user accounts logged into systems that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on Linux systems SSH logon activity can be found in the logs located in |
||
| .005 | VNC |
Monitor for user accounts logged into systems that may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). For example, on macOS systems |
||
| .006 | Windows Remote Management |
Monitor for user accounts logging into the system via Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. |
||
| Enterprise | T1199 | Trusted Relationship |
Monitor for newly constructed logon behavior that may breach or otherwise leverage organizations who have access to intended victims. |
|
| Enterprise | T1550 | Use Alternate Authentication Material |
Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. |
|
| .002 | Pass the Hash |
Monitor newly created logons and credentials used in events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. |
||
| .003 | Pass the Ticket |
Monitor for newly constructed logon behavior that may "pass the ticket" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. |
||
| Enterprise | T1078 | Valid Accounts |
Monitor for newly constructed logon behavior that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). |
|
| .001 | Default Accounts |
Monitor for newly constructed logon behavior across default accounts that have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. |
||
| .002 | Domain Accounts |
Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. |
||
| .003 | Local Accounts |
Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. |
||
| .004 | Cloud Accounts |
Monitor for suspicious account behavior across cloud services that share account. |
||
Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it
Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1133 | External Remote Services |
Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours. |
|
| Enterprise | T1606 | .002 | Forge Web Credentials: SAML Tokens |
Consider modifying SAML responses to include custom elements for each service provider. Monitor these custom elements in service provider access logs to detect any anomalous requests.[5] |
| Enterprise | T1621 | Multi-Factor Authentication Request Generation |
Monitor 2FA/MFA application logs for suspicious events such as unusual login attempt source location, mismatch in location of login attempt and smart device approving 2FA/MFA request prompts. |
|
| Enterprise | T1558 | Steal or Forge Kerberos Tickets |
Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).[12] [13] |
|
| .001 | Golden Ticket |
Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672). Correlate other security systems with login information (e.g., a user has the KRBTGT account password hash and forges Kerberos ticket-granting tickets). |
||
| .002 | Silver Ticket |
Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672). |
||
| Enterprise | T1199 | Trusted Relationship |
Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). |
|
| Enterprise | T1078 | Valid Accounts |
Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. |
|
| .002 | Domain Accounts |
Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). |
||
| .003 | Local Accounts |
Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). |
||
| .004 | Cloud Accounts | |||