-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2013-02-008.yaml
42 lines (41 loc) · 1.52 KB
/
CAR-2013-02-008.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
title: Simultaneous Logins on a Host
submission_date: 2013/02/18
information_domain: Host
platforms:
- Windows
- Linux
- macOS
subtypes:
- Login
analytic_types:
- Situational Awareness
contributors:
- MITRE
id: CAR-2013-02-008
description: |-
Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.
Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.
Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft's [Audit Logon Events](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10)) page.
coverage:
- technique: T1078
tactics:
- TA0001
subtechniques:
- T1078.002
- T1078.003
coverage: Low
implementations:
- code: |-
users_list = search UserSession:Login
users_grouped = group users_list by hostname
users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count
multiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1)
output multiple_logins
type: pseudocode
data_model_references:
- user_session/login/user
- user_session/login/hostname
d3fend_mappings:
- iri: d3f:AuthenticationEventThresholding
id: D3-ANET
label: Authentication Event Thresholding