LoFP / legitimate remote administration activity

Techniques

• t1550

Sample rules

Outgoing Logon with New Credentials

• source: sigma
• technicques:
  • t1550

Description

Detects logon events that specify new credentials

Detection logic

condition: selection
selection:
  EventID: 4624
  LogonType: 9