Detection rules › Splunk
Windows Special Privileged Logon On Multiple Hosts
The following analytic detects a user authenticating with special privileges on 30 or more remote endpoints within a 5-minute window. It leverages Event ID 4672 from Windows Security logs to identify this behavior. This activity is significant as it may indicate lateral movement or remote code execution by an adversary. If confirmed malicious, the attacker could gain extensive control over the network, potentially leading to privilege escalation, data exfiltration, or further compromise of the environment. Security teams should adjust detection thresholds based on their specific environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1087 Account Discovery, T1135 Network Share Discovery |
| Lateral Movement | T1021.002 Remote Services: SMB/Windows Admin Shares |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4672 | Special privileges assigned to new logon. |
Stages and Predicates
Stage 1: search
search NOT Caller_User_Name IN ("*$", "DWM-1", "DWM-2", "DWM-3", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM") EventCode=4672
Stage 2: bucket
bucket span=5m _time
Stage 3: stats
stats dc(Computer) AS unique_targets, … AS dest, … AS privileges BY _time, Caller_User_Name
Stage 4: rename
rename
Stage 5: where
where unique_targets>30
Stage 6: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | user | in | "*$", "DWM-1", "DWM-2", "DWM-3", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
unique_targets | gt |
|