← Back to Explore
sigmamediumHunting
Suspicious Remote Logon with Explicit Credentials
Detects suspicious processes logging on with explicit credentials
Detection Query
selection:
EventID: 4648
ProcessName|endswith:
- \cmd.exe
- \powershell.exe
- \pwsh.exe
- \winrs.exe
- \wmic.exe
- \net.exe
- \net1.exe
- \reg.exe
filter1:
TargetServerName: localhost
filter2:
SubjectUserName|endswith: $
TargetUserName|endswith: $
condition: selection and not 1 of filter*
Author
oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton
Created
2020-10-05
Data Sources
windowssecurity
Platforms
windows
Tags
attack.privilege-escalationattack.persistenceattack.initial-accessattack.defense-evasionattack.t1078attack.lateral-movement
Raw Content
title: Suspicious Remote Logon with Explicit Credentials
id: 941e5c45-cda7-4864-8cea-bbb7458d194a
status: test
description: Detects suspicious processes logging on with explicit credentials
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton
date: 2020-10-05
modified: 2022-08-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.t1078
- attack.lateral-movement
logsource:
product: windows
service: security
detection:
selection:
EventID: 4648
ProcessName|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\winrs.exe'
- '\wmic.exe'
- '\net.exe'
- '\net1.exe'
- '\reg.exe'
filter1:
TargetServerName: 'localhost'
filter2:
SubjectUserName|endswith: '$'
TargetUserName|endswith: '$'
condition: selection and not 1 of filter*
falsepositives:
- Administrators that use the RunAS command or scheduled tasks
level: medium