Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of Lateral Movement.

Output Description

User Name, Machines logged into, the earliest and latest times in which users were logged into the host, the type of logon, and logon ID.

ATT&CK Detection

Technique Tactic Level of Coverage
Valid Accounts Lateral Movement Moderate

Additional Notes:

Certain users will likely appear as being logged into several machines and may need to be “whitelisted.” Such users would include network admins or user names that are common to many hosts.