Techniques
Sample rules
Suspicious Remote Logon with Explicit Credentials
- source: sigma
- technicques:
- t1078
Description
Detects suspicious processes logging on with explicit credentials
Detection logic
condition: selection and not 1 of filter*
filter1:
TargetServerName: localhost
filter2:
SubjectUserName|endswith: $
TargetUserName|endswith: $
selection:
EventID: 4648
ProcessName|endswith:
- \cmd.exe
- \powershell.exe
- \pwsh.exe
- \winrs.exe
- \wmic.exe
- \net.exe
- \net1.exe
- \reg.exe