Original article written on medium.

Use cases are created & modified according to the organization’s requirement. I am going to use this platform to explain the use cases I created and updated in GitHub.

First use case I will be discussing is based on the MITRE tactic — TA0001, gaining initial access.

Use case Name: Remote Services: Simultaneous Logins on a Host

Description: Multiple users logged into a single machine at the same time, or even within the same hour.

Sentinel format — the code:

SecurityEvent
| where EventID == '4624'
| where LogonType in (2,3,9,10)
| where Account !endswith "$"
| summarize earliest_time = min(TimeGenerated), latest_Time = max(TimeGenerated), UserCount = dcount(TargetUserName), Users = make_set(TargetUserName) by IpAddress
| where latest_Time - earliest_time <= 1h and UserCount > 1

Explanation of the code:

SecurityEvent

Its the table/scheme which we will be using here for this usecase.

| where EventID == '4624'

We are looking at the logon events, hence using the windows login event id. Change this event id according to the version of the windows. Refer here for further information.

| where LogonType in (2,3,9,10)

We are focusing on certain logon type.

  • 2 — Interactive (logon at keyboard and screen of system)
  • 3 — Network (i.e. connection to shared folder on this computer from elsewhere on network)
  • 9 — NewCredentials such as with RunAs or mapping a network drive with alternate credentials.
  • 10 — RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
| where Account !endswith "$"

That’s the computer account. When a computer joins a domain it has to have an account associated with it in order to apply policy settings. This gets created automatically when the computer joins. This is to exclude false positives.

| summarize earliest_time = min(TimeGenerated), latest_Time = max(TimeGenerated), UserCount = dcount(TargetUserName), Users = make_set(TargetUserName) by IpAddress

Here I am getting the maximum and the minimum time, distinct count of the user by grouping the IP as well as collecting the user names using “make_set”. So the beauty of “make_set”, you can include as many you want, depending on the information you need.

| where latest_Time - earliest_time <= 1h and UserCount > 1

Now this is where we pass our condition. I have used the minimum and the maximum time to fix a duration and where distinct count of users is more than one.

Find the code on GitHub here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s