sigmahighHunting

Register new Logon Process by Rubeus

Detects potential use of Rubeus via registered new trusted logon process

MITRE ATT&CK

lateral-movementprivilege-escalationcredential-access

Detection Query

selection:
  EventID: 4611
  LogonProcessName: User32LogonProcesss
condition: selection

Author

Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community

Created

2019-10-24

Data Sources

windowssecurity

Platforms

windows

References

https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1

Tags

attack.lateral-movementattack.privilege-escalationattack.credential-accessattack.t1558.003

Raw Content

title: Register new Logon Process by Rubeus
id: 12e6d621-194f-4f59-90cc-1959e21e69f7
status: test
description: Detects potential use of Rubeus via registered new trusted logon process
references:
    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019-10-24
modified: 2022-10-09
tags:
    - attack.lateral-movement
    - attack.privilege-escalation
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4611
        LogonProcessName: 'User32LogonProcesss'
    condition: selection
falsepositives:
    - Unknown
level: high