Rules Contributing to Suspicious Windows Logon Event Alerts

The following rules are used to identify suspicious Windows logon activities. Any one or more of these will trigger Suspicious Windows Logon Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Remote WMI ActiveScriptEventConsumers

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network

RottenPotato Like Attack Pattern

Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

Successful Overpass the Hash Attempt

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

RottenPotato Logon

RottenPotato is a exploitation tool used to get elevated privileges in Windows machines. A new Windows logon event matches the attack vector used by RottenPotato, what is an indicator of compromise.

DiagTrackEoP Default Login Username

Detects the default "UserName" used by the DiagTrackEoP POC

Access Token Abuse

This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)

KrbRelayUp Attack Pattern

Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like