Detection rules › Kusto Query Language
Service Accounts Performing Remote PS
Service Accounts Performing Remote PowerShell. The purpose behind this detection is for finding service accounts that are performing remote powershell sessions. There are two phases to the detection: Identify service accounts, Find remote PS cmdlets being ran by these accounts. To accomplish this, we utilize DeviceLogonEvents and DeviceEvents to find cmdlets ran that meet the criteria. One of the main advantages of this method is that only requires server telemetry, and not the attacking client. The first phase relies on the DeviceLogonEvents to determine whether an account is a service account or not, consider the following accounts with logons:. Random_user has DeviceLogonEvents with type 2, 3, 7, 10, 11 & 13. Random_service_account 'should' only have DeviceLogonEvents with type 3,4 or 5.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Lateral Movement | T1210 Exploitation of Remote Services |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4624 | An account was successfully logged on. |
| Defender-DeviceLogonEvents | 9003001 | Logon succeeded |
Stages and Predicates
Stage 1: source
DeviceLogonEvents
Stage 2: where
not
AccountName eq "WhitelistedAccounts"
Stage 3: where
ActionType eq "LogonSuccess"
Stage 4: where
not
AccountName contains "$"
Stage 5: where
not
AccountName match "winrm va_"
Stage 6: extend
Stage 7: summarize
Stage 8: where
HasInteractiveLogon eq "0"
Stage 9: join
Stage 10: extend
Stage 11: where
not
Command eq "WhitelistedCmdlets"
Stage 12: summarize
Stage 13: sort
Stage 14: extend
Stage 15: extend
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | user | eq | WhitelistedAccounts |
| 1 | user | contains | $ |
| 1 | user | match | winrm va_ |
| 1 | Command | eq | WhitelistedCmdlets |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ActionType | eq |
|
HasInteractiveLogon | eq |
|