Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.
Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.
The time of login events for distinct users on individual systems
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Remote Services||Remote Desktop Protocol||Lateral Movement||Moderate|
|Valid Accounts||Domain Accounts, Local Accounts||Defense Evasion||Moderate|
|D3-ANET||Authentication Event Thresholding|
Account Logon with Filtering (Pseudocode)
This base pseudocode looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events.
logon_events = search User_Session:Login filtered_logons = filter logon_events where ( user NOT IN TOP30(user)) output filtered_logons
Account Logon with Filtering (Splunk)
Splunk version of the above pseudocode. NOTE - this is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out.
index=__your_win_event_log_index__ EventCode=4624|search NOT [search index=__your_win_event_log_index__ EventCode=4624|top 30 Account_Name|table Account_Name]
Account Logon with Filtering (Dnif, Sysmon native)
DNIF version of the above pseudocode.
_fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN group count_unique $ScopeID, $User limit 30 >>_store in_disk david_test win_top_30 stack_replace >>_fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN limit 10000 >>_checkif lookup david_test win_top_30 join $ScopeID = $ScopeID str_compare $User eq $User exclude