detection.wiki

Detection rules › Sigma

Admin User Remote Logon

Severity
low
Author
juju4
Source
upstream

Detect remote login by Administrator user (depending on internal pattern).

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078.001 Valid Accounts: Default Accounts, T1078.002 Valid Accounts: Domain Accounts, T1078.003 Valid Accounts: Local Accounts
PersistenceT1078.001 Valid Accounts: Default Accounts, T1078.002 Valid Accounts: Domain Accounts, T1078.003 Valid Accounts: Local Accounts
Privilege EscalationT1078.001 Valid Accounts: Default Accounts, T1078.002 Valid Accounts: Domain Accounts, T1078.003 Valid Accounts: Local Accounts
Defense EvasionT1078.001 Valid Accounts: Default Accounts, T1078.002 Valid Accounts: Domain Accounts, T1078.003 Valid Accounts: Local Accounts

Event coverage

ProviderEvent IDTitle
Security-Auditing4624An account was successfully logged on.

Stages and Predicates

Stage 1: selection

AuthenticationPackageName: Negotiate
LogonType: 10
TargetUserName|startswith: Admin

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AuthenticationPackageNameeq
  • Negotiate corpus 3 (sigma 3)
LogonTypeeq
  • 10 corpus 4 (sigma 3, splunk 1)
TargetUserNamestarts_with
  • Admin

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.