From 47c685553d0510c415fddeb8a04d09419df2cf3e Mon Sep 17 00:00:00 2001
From: Max Altgelt <max.altgelt@nextron-systems.com>
Date: Thu, 7 Apr 2022 10:48:09 +0200
Subject: [PATCH] feat: Generate low sigma match for new credential logon

---
 .../builtin/win_susp_logon_newcredentials.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 rules/windows/builtin/win_susp_logon_newcredentials.yml

diff --git a/rules/windows/builtin/win_susp_logon_newcredentials.yml b/rules/windows/builtin/win_susp_logon_newcredentials.yml
new file mode 100644
index 000000000..293620525
--- /dev/null
+++ b/rules/windows/builtin/win_susp_logon_newcredentials.yml
@@ -0,0 +1,19 @@
+title: Outgoing Logon with New Credentials
+id: def8b624-e08f-4ae1-8612-1ba21190da6b
+status: experimental
+description: Detects logon events that specify new credentials
+references:
+    - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
+author: Max Altgelt
+date: 2022/04/06
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4624
+        LogonType: 9
+    condition: selection
+falsepositives:
+    - Legitimate remote administration activity
+level: low