Submission Date: 2013/02/18

Update Date:

Information Domain: Host

Data Subtypes: Login

Analytic Type: Situational Awareness

Applicable Platforms: Windows, Linux, macOS

Contributors: MITRE



Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.

Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Valid Accounts Domain Accounts, Local Accounts Initial Access Low

D3FEND Techniques

ID Name
D3-ANET Authentication Event Thresholding

Data Model References

Object Action Field
user_session login user
user_session login hostname

Implementations

Pseudocode

users_list = search UserSession:Login
users_grouped = group users_list by hostname
users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count
multiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1)
output multiple_logins