Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.

Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft’s Audit Logon Events page.

ATT&CK Detection

Technique Tactic Level of Coverage
Valid Accounts Initial Access Low

Data Model References

Object Action Field
user_session login user
user_session login hostname

Implementations

Pseudocode

users_list = search UserSession:Login
users_grouped = group users_list by hostname
users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count 
multiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1)
output multiple_logins