-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2013-02-012.yaml
34 lines (31 loc) · 1.16 KB
/
CAR-2013-02-012.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
title: User Logged in to Multiple Hosts
submission_date: 2013/02/27
information_domain: Host
platforms:
- Windows
- Linux
- macOS
subtypes:
- Login
analytic_types:
- Situational Awareness
contributors:
- MITRE
id: CAR-2013-02-012
description: |-
Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
Certain users will likely appear as being logged into several machines and may need to be "whitelisted." Such users would include network admins or user names that are common to many hosts.
### Output Description
User Name, Machines logged into, the earliest and latest times in which users were logged into the host, the type of logon, and logon ID.
coverage:
- technique: T1078
tactics:
- TA0008
subtechniques:
- T1078.002
- T1078.003
coverage: Moderate
d3fend_mappings:
- iri: d3f:AuthenticationEventThresholding
id: D3-ANET
label: Authentication Event Thresholding