Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.
Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Valid Accounts||Domain Accounts, Local Accounts||Initial Access||Low|
Data Model References
users_list = search UserSession:Login users_grouped = group users_list by hostname users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count multiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1) output multiple_logins