Windows Special Privileged Logon On Multiple Hosts

name: Windows Special Privileged Logon On Multiple Hosts
id: 4c461f5a-c2cc-4e86-b132-c262fc9edca7
version: 10
date: '2026-03-10'
author: Mauricio Velazco, Splunk
type: TTP
status: production
data_source:
    - Windows Event Log Security 4672
description: The following analytic detects a user authenticating with special privileges on 30 or more remote endpoints within a 5-minute window. It leverages Event ID 4672 from Windows Security logs to identify this behavior. This activity is significant as it may indicate lateral movement or remote code execution by an adversary. If confirmed malicious, the attacker could gain extensive control over the network, potentially leading to privilege escalation, data exfiltration, or further compromise of the environment. Security teams should adjust detection thresholds based on their specific environment.
search: |-
    `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN ("DWM-1","DWM-2","DWM-3","LOCAL SERVICE","NETWORK SERVICE","SYSTEM","*$"))
      | bucket span=5m _time
      | stats dc(Computer) AS unique_targets values(Computer) as dest values(PrivilegeList) as privileges
        BY _time, Caller_User_Name
      | rename Caller_User_Name as user
      | where unique_targets > 30
      | `windows_special_privileged_logon_on_multiple_hosts_filter`
how_to_implement: To successfully implement this search, you need to be ingesting special logon events. The Advanced Security Audit policy setting `Audit Special Logon` within `Logon/Logoff` need to be enabled.
known_false_positives: Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.
references:
    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319113(v=ws.11)
    - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
    - https://attack.mitre.org/tactics/TA0008/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: 'A user $user$ obtained special privileges on a large number of endpoints (Count: $unique_targets$) within 5 minutes.'
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Active Directory Privilege Escalation
        - Active Directory Lateral Movement
        - Compromised Windows Host
    asset_type: Endpoint
    mitre_attack_id:
        - T1087
        - T1021.002
        - T1135
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog