Detection rules › By event

Microsoft-Windows-Security-Auditing event 4624

36 detection rules reference this event. View event page.

Sigma (14)

Admin User Remote Logon severity low T1078.001, T1078.002, T1078.003
DiagTrackEoP Default Login Username severity critical
External Remote RDP Logon from Public IP severity medium T1078, T1110, T1133
External Remote SMB Logon from Public IP severity high T1078, T1110, T1133
Hacktool Ruler severity high T1059, T1087, T1114, T1550.002
Metasploit SMB Authentication severity high T1021.002
Outgoing Logon with New Credentials severity low T1550
Pass the Hash Activity 2 severity medium T1550.002
Potential Access Token Abuse severity medium T1134.001
Potential Privilege Escalation via Local Kerberos Relay over LDAP severity high T1548
RDP Login from Localhost severity high T1021.001
RottenPotato Like Attack Pattern severity high T1557.001
Successful Account Login Via WMI severity low T1047
Successful Overpass the Hash Attempt severity high T1550.002