CAR-2013-02-012: User Logged in to Multiple Hosts
Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of Lateral Movement.
Certain users will likely appear as being logged into several machines and may need to be “whitelisted.” Such users would include network admins or user names that are common to many hosts.
Output Description
User Name, Machines logged into, the earliest and latest times in which users were logged into the host, the type of logon, and logon ID.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Valid Accounts | Domain Accounts, Local Accounts | Lateral Movement | Moderate |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-ANET | Authentication Event Thresholding |