From dd81b18d6e9cbc46e22bd6a79ead35dbe8bb80dd Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Fri, 17 Mar 2017 09:44:24 +0100
Subject: [PATCH] Rule: Suspicious interactive console logons to servers

---
 .../builtin/win_susp_interactive_logons.yml   | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rules/windows/builtin/win_susp_interactive_logons.yml

diff --git a/rules/windows/builtin/win_susp_interactive_logons.yml b/rules/windows/builtin/win_susp_interactive_logons.yml
new file mode 100644
index 000000000..277b488be
--- /dev/null
+++ b/rules/windows/builtin/win_susp_interactive_logons.yml
@@ -0,0 +1,26 @@
+title: Interactive Logon to Server Systems
+description: Detects interactive console logons to 
+author: Florian Roth
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID:
+            - 528
+            - 529
+            - 4624
+            - 4625
+        LogonType: 2
+        ComputerName:
+            - '%ServerSystems%'
+            - '%DomainControllers%'
+    filter:
+        LogonProcessName: Advapi
+        ComputerName: '%Workstations%'
+    condition: selection and not filter
+falsepositives:
+    - Administrative activity via KVM or ILO board
+level: medium
+
+