2017-03-17 09:44:24 +01:00
|
|
|
title: Interactive Logon to Server Systems
|
2019-11-12 23:12:27 +01:00
|
|
|
id: 3ff152b2-1388-4984-9cd9-a323323fdadf
|
2021-11-27 11:33:14 +01:00
|
|
|
status: test
|
2020-08-25 01:09:17 +02:00
|
|
|
description: Detects interactive console logons to Server Systems
|
2017-03-17 09:44:24 +01:00
|
|
|
author: Florian Roth
|
2020-01-30 16:07:37 +01:00
|
|
|
date: 2017/03/17
|
2021-11-27 11:33:14 +01:00
|
|
|
modified: 2021/11/27
|
2017-03-17 09:44:24 +01:00
|
|
|
logsource:
|
2021-11-27 11:33:14 +01:00
|
|
|
product: windows
|
|
|
|
|
service: security
|
2017-03-17 09:44:24 +01:00
|
|
|
detection:
|
2021-11-27 11:33:14 +01:00
|
|
|
selection:
|
|
|
|
|
EventID:
|
|
|
|
|
- 528
|
|
|
|
|
- 529
|
|
|
|
|
- 4624
|
|
|
|
|
- 4625
|
|
|
|
|
LogonType: 2
|
|
|
|
|
ComputerName:
|
|
|
|
|
- '%ServerSystems%'
|
|
|
|
|
- '%DomainControllers%'
|
|
|
|
|
filter:
|
|
|
|
|
LogonProcessName: Advapi
|
|
|
|
|
ComputerName: '%Workstations%'
|
|
|
|
|
condition: selection and not filter
|
2017-03-17 09:44:24 +01:00
|
|
|
falsepositives:
|
2021-11-27 11:33:14 +01:00
|
|
|
- Administrative activity via KVM or ILO board
|
2017-03-17 09:44:24 +01:00
|
|
|
level: medium
|
2021-11-27 11:33:14 +01:00
|
|
|
tags:
|
|
|
|
|
- attack.lateral_movement
|
|
|
|
|
- attack.t1078
|
