Detection rules › Elastic
Potential Account Takeover - Logon from New Source IP
Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
| Persistence | T1078 Valid Accounts |
| Privilege Escalation | T1078 Valid Accounts |
| Defense Evasion | T1078 Valid Accounts |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4624 | An account was successfully logged on. |
Stages and Predicates
Stage 1: esql:from
Stage 2: esql:where
not user.name:"*$" and not :"::" and event.action:"logged-in" and event.category:"authentication" and event.outcome:"success" and source.ip:* and not source.ip:"127.0.0.1" and winlog.logon.type:("Network" or "RemoteInteractive")Stage 3: esql:stats
Stage 4: esql:stats
Stage 5: esql:where
Esql.count_distinct_source_ip:2 and Esql.max_logon >= 1000 and Esql.min_logon >= 1 and Esql.min_logon <= 5 and Esql.unique_host_count >= 2Stage 6: esql:eval
Stage 7: esql:keep
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | user | ends_with | $ |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Esql.count_distinct_source_ip | eq |
|
Esql.max_logon | ge |
|
Esql.min_logon | ge |
|
Esql.min_logon | le |
|
Esql.unique_host_count | ge |
|
event.action | eq |
|
event.category | eq |
|
event.outcome | eq |
|
source.ip | ne |
|
winlog.logon.type | in |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Potential Privilege Escalation via Local Kerberos Relay over LDAP (adds 5 filters)
- Windows Kerberos Local Successful Logon (adds 5 filters)
- Potential Access Token Abuse (adds 4 filters)
- Pass the Hash Activity 2 (adds 4 filters)
- RottenPotato Like Attack Pattern (adds 4 filters)
- Windows Rapid Authentication On Multiple Hosts (adds 4 filters)
- Admin User Remote Logon (adds 3 filters)
- Successful Overpass the Hash Attempt (adds 3 filters)
- Unusual Number of Remote Endpoint Authentication Events (adds 3 filters)
- DiagTrackEoP Default Login Username (adds 2 filters)
- RDP Login from Localhost (adds 2 filters)
- Windows RDP Login Session Was Established (adds 2 filters)
- External Remote RDP Logon from Public IP (adds 1 filter)
- External Remote SMB Logon from Public IP (adds 1 filter)
- Outgoing Logon with New Credentials (adds 1 filter)
- Successful Account Login Via WMI (adds 1 filter)
- Potential Pass-the-Hash (PtH) Attempt (adds 6 filters)