DC0067 Logon Session Creation
| Item | Value |
|---|---|
| ID | DC0067 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| auditd:SYSCALL | capset or setns |
| AWS:CloudTrail | ConsoleLogin, AssumeRole, ListResources |
| AWS:CloudTrail | ConsoleLogin |
| AWS:CloudTrail | Web console logins using session cookies without corresponding MFA event |
| AWS:CloudTrail | ConsoleLogin: If IdP backed by cloud provider, Console login from new IP/agent after correlated endpoint compromise |
| AWS:CloudTrail | SendSSHPublicKey, StartSession (SSM), EC2InstanceConnect |
| AWS:CloudTrail | Temporary security credentials used to authenticate into management console or APIs |
| AWS:CloudTrail | AWS ConsoleLogin, StartSession |
| AWS:CloudTrail | GetConsoleOutput |
| AWS:CloudTrail | sudden role assumption after credential file access |
| AWS:CloudTrail | AssumeRole,AssumeRoleWithSAML,AssumeRoleWithWebIdentity |
| azure:ad | SignInEvents |
| azure:signin | UserLoginSuccess, TokenIssued |
| azure:signin | Microsoft.Compute/virtualMachines/serialConsole/connect/action |
| azure:signinlogs | Abnormal sign-in from scripting tools (PowerShell, AADInternals) |
| azure:signinlogs | Suspicious login to cloud mailbox system |
| azure:signinlogs | Failed MFA attempts, unusual conditional access triggers, login attempts from unexpected IP ranges |
| azure:signinlogs | InteractiveUserLogin: Discovery behavior linked to privileged logins from atypical IP ranges |
| azure:signinlogs | InteractiveUser, ServicePrincipalSignIn |
| azure:signinlogs | InteractiveUser, NonInteractiveUser |
| azure:signinlogs | UserLogin, ConditionalAccessPolicyEvaluated |
| CloudTrail:Signin | SAML login without corresponding IdP authentication log |
| esxi:auth | Shell login or escalation |
| esxi:vmkernel | vim.fault.*, DCUI login, SSH shell |
| gcp:audit | LoginAudit, DriveAudit |
| gcp:audit | cloud.ssh.publicKey.inserted, compute.instances.osLogin |
| gcp:audit | admin.googleapis.com |
| linux:auth | User login event followed by unexpected process tree |
| linux:syslog | sshd: Accepted password/publickey |
| linux:syslog | authentication success after file access |
| linux:syslog | auth.log / secure.log |
| linux:syslog | Accepted publickey/password for * from * port * ssh2 |
| linux:syslog | None |
| Logon Session | None |
| m365:sharepoint | File access with forged or anomalous SAML claims |
| m365:signinlogs | SignInSuccess, RoleAssignmentRead |
| m365:signinlogs | Token usage events with device/user mismatch |
| m365:signinlogs | UserLogin: Discovery operations shortly after account logins from new geolocations |
| m365:signinlogs | UserLoggedIn |
| m365:unified | UserLoggedIn |
| m365:unified | ViewAdminReport |
| macos:unifiedlog | UserLoggedIn |
| macos:unifiedlog | Authentication inconsistencies where commands are executed without corresponding login events |
| macos:unifiedlog | authentication |
| macos:unifiedlog | Session reuse without new auth event |
| macos:unifiedlog | Access to Keychain items or browser credential stores |
| macos:unifiedlog | eventMessage CONTAINS ‘screensharingd’ or ‘AuthorizationRefCreate’ |
| macos:unifiedlog | Keychain or user login post-access |
| macos:unifiedlog | authentication plugin load or modification events |
| macos:unifiedlog | loginwindow or sshd successful login events |
| networkdevice:Firewall | Login from untrusted IP, or new admin account accessing firewall console/API |
| NSM:Connections | Mismatch between recorded user logon and active sessions (e.g., wtmp/utmp entries without corresponding authentication in auth.log) |
| NSM:Connections | Missing new login event but session activity continues |
| NSM:Connections | Accepted publickey for user from unusual IP or without tty |
| NSM:Connections | simultaneous or anomalous logon sessions across multiple systems |
| Okta:SystemLog | user.authentication.sso, app.oauth.grant |
| saas:access | Multiple concurrent logins using same cookie from different locations |
| saas:auth | LoginSuccess, APIKeyUse, AdminAction |
| saas:auth | Login, TokenGranted: Discovery actions tied to anomalous login sessions or tokens |
| saas:confluence | logon |
| saas:github | Login from unusual IP, device fingerprint, or location; access token creation from new client |
| saas:okta | user.session.start |
| saas:okta | session.token.reuse |
| saas:zoom | Zoom Admin Dashboard accessed from unfamiliar IP/device |
| WinEventLog:Security | EventCode=4624, 4648 |
| WinEventLog:Security | Anomalous logon without MFA enforcement |
| WinEventLog:Security | EventCode=4624 |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0103 | Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects | T1070.005 |
| DET0008 | Behavioral Detection of Remote Cloud Logins via Valid Accounts | T1021.007 |
| DET0596 | Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution | T1021.004 |
| DET0178 | Behavioral Detection of Unauthorized VNC Remote Control Sessions | T1021.005 |
| DET0384 | Behavioral Detection of Unix Shell Execution | T1059.004 |
| DET0477 | Behavioral Detection of WinRM-Based Remote Access | T1021.006 |
| DET0269 | Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity | T1021 |
| DET0338 | Behavioral Detection Strategy for Use Alternate Authentication Material (T1550) | T1550 |
| DET0488 | Detect abuse of Trusted Relationships (third-party and delegated admin access) | T1199 |
| DET0307 | Detect Access to Unsecured Credential Files Across Platforms | T1552.001 |
| DET0507 | Detect browser session hijacking via privilege, handle access, and remote thread into browsers | T1185 |
| DET0271 | Detect Domain Controller Authentication Process Modification (Skeleton Key) | T1556.001 |
| DET0293 | Detect Hybrid Identity Authentication Process Modification | T1556.007 |
| DET0157 | Detect Kerberoasting Attempts (T1558.003) | T1558.003 |
| DET0072 | Detect Logon Script Modifications and Execution | T1037.001 |
| DET0454 | Detect Malicious Modification of Pluggable Authentication Modules (PAM) | T1556.003 |
| DET0048 | Detect Remote Email Collection via Abnormal Login and Programmatic Access | T1114.002 |
| DET0074 | Detect Use of Stolen Web Session Cookies Across Platforms | T1550.004 |
| DET0500 | Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users | T1213.002 |
| DET0263 | Detecting Bulk or Anomalous Access to Private Code Repositories via SaaS Platforms | T1213.003 |
| DET0550 | Detecting Suspicious Access to CRM Data in SaaS Environments | T1213.004 |
| DET0567 | Detecting Unauthorized Collection from Messaging Applications in SaaS and Office Environments | T1213.005 |
| DET0588 | Detection fo Remote Service Session Hijacking for RDP. | T1563.002 |
| DET0546 | Detection of Abused or Compromised Cloud Accounts for Access and Persistence | T1078.004 |
| DET0291 | Detection of Cloud Service Dashboard Usage via GUI-Based Cloud Access | T1538 |
| DET0754 | Detection of Data from Information Repositories | T0811 |
| DET0465 | Detection of Default Account Abuse Across Platforms | T1078.001 |
| DET0756 | Detection of Default Credentials | T0812 |
| DET0211 | Detection of Direct VM Console Access via Cloud-Native Methods | T1021.008 |
| DET0772 | Detection of Graphical User Interface | T0823 |
| DET0798 | Detection of Hardcoded Credentials | T0891 |
| DET0407 | Detection of Local Account Abuse for Initial Access and Persistence | T1078.003 |
| DET0079 | Detection of Remote Service Session Hijacking | T1563 |
| DET0804 | Detection of Remote Services | T0886 |
| DET0560 | Detection of Valid Account Abuse Across Platforms | T1078 |
| DET0724 | Detection of Valid Accounts | T0859 |
| DET0509 | Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts | T1539 |
| DET0726 | Detection of Wireless Compromise | T0860 |
| DET0402 | Detection Strategy for Cloud Service Discovery | T1526 |
| DET0514 | Detection Strategy for Exploitation for Privilege Escalation | T1068 |
| DET0495 | Detection Strategy for Financial Theft | T1657 |
| DET0148 | Detection Strategy for Forged SAML Tokens | T1606.002 |
| DET0171 | Detection Strategy for Forged Web Cookies | T1606.001 |
| DET0260 | Detection Strategy for Forged Web Credentials | T1606 |
| DET0286 | Detection Strategy for Impersonation | T1656 |
| DET0246 | Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying | T1111 |
| DET0070 | Detection Strategy for Phishing across platforms. | T1566 |
| DET0256 | Detection Strategy for SSH Session Hijacking | T1563.001 |
| DET0409 | Detection Strategy for T1550.002 - Pass the Hash (Windows) | T1550.002 |
| DET0352 | Detection Strategy for T1550.003 - Pass the Ticket (Windows) | T1550.003 |
| DET0176 | Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189) | T1189 |
| DET0476 | Email Collection via Local Email Access and Auto-Forwarding Behavior | T1114 |
| DET0474 | Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy | T1480.001 |
| DET0054 | Internal Spearphishing via Trusted Accounts | T1534 |
| DET0390 | Linux Detection Strategy for T1547.013 - XDG Autostart Entries | T1547.013 |
| DET0285 | Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution | T1021.003 |
| DET0530 | Multi-Event Detection for SMB Admin Share Lateral Movement | T1021.002 |
| DET0327 | Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity | T1021.001 |
| DET0562 | Multi-Platform Execution Guardrails Environmental Validation Detection Strategy | T1480 |
| DET0358 | Programmatic and Excessive Access to Confluence Documentation | T1213.001 |
| DET0003 | T1136.002 Detection Strategy - Domain Account Creation Across Platforms | T1136.002 |
| DET0306 | Unauthorized Network Firewall Rule Modification (T1562.013) | T1562.013 |
| DET0394 | Web Shell Detection via Server Behavior and File Execution Chains | T1505.003 |