sigmalowHunting

Outgoing Logon with New Credentials

Detects logon events that specify new credentials

MITRE ATT&CK

defense-evasionlateral-movement

Detection Query

selection:
  EventID: 4624
  LogonType: 9
condition: selection

Author

Max Altgelt (Nextron Systems)

Created

2022-04-06

Data Sources

windowssecurity

Platforms

windows

References

https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf

Tags

attack.defense-evasionattack.lateral-movementattack.t1550

Raw Content

title: Outgoing Logon with New Credentials
id: def8b624-e08f-4ae1-8612-1ba21190da6b
status: test
description: Detects logon events that specify new credentials
references:
    - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
    - attack.defense-evasion
    - attack.lateral-movement
    - attack.t1550
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 9
    condition: selection
falsepositives:
    - Legitimate remote administration activity
level: low