Skip to content

DS0028 Logon Session

Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorizaton1

Item Value
ID DS0028
Platforms Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers Cloud Control Plane, Host, Network
Version 1.0
Created 20 October 2021
Last Modified 30 March 2022

Data Components

Logon Session Creation

Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)

Domain ID Name
enterprise T1185 Browser Session Hijacking
enterprise T1538 Cloud Service Dashboard
enterprise T1213 Data from Information Repositories
enterprise T1213.001 Confluence
enterprise T1213.002 Sharepoint
enterprise T1213.003 Code Repositories
enterprise T1114 Email Collection
enterprise T1114.002 Remote Email Collection
enterprise T1606 Forge Web Credentials
enterprise T1606.001 Web Cookies
enterprise T1606.002 SAML Tokens
enterprise T1556 Modify Authentication Process
enterprise T1556.001 Domain Controller Authentication
enterprise T1556.003 Pluggable Authentication Modules
enterprise T1621 Multi-Factor Authentication Request Generation
enterprise T1563 Remote Service Session Hijacking
enterprise T1563.001 SSH Hijacking
enterprise T1563.002 RDP Hijacking
enterprise T1021 Remote Services
enterprise T1021.001 Remote Desktop Protocol
enterprise T1021.002 SMB/Windows Admin Shares
enterprise T1021.004 SSH
enterprise T1021.005 VNC
enterprise T1021.006 Windows Remote Management
enterprise T1199 Trusted Relationship
enterprise T1550 Use Alternate Authentication Material
enterprise T1550.002 Pass the Hash
enterprise T1550.003 Pass the Ticket
enterprise T1078 Valid Accounts
enterprise T1078.001 Default Accounts
enterprise T1078.002 Domain Accounts
enterprise T1078.003 Local Accounts
enterprise T1078.004 Cloud Accounts

Logon Session Metadata

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

Domain ID Name
enterprise T1133 External Remote Services
enterprise T1606 Forge Web Credentials
enterprise T1606.002 SAML Tokens
enterprise T1621 Multi-Factor Authentication Request Generation
enterprise T1558 Steal or Forge Kerberos Tickets
enterprise T1558.001 Golden Ticket
enterprise T1558.002 Silver Ticket
enterprise T1199 Trusted Relationship
enterprise T1078 Valid Accounts
enterprise T1078.002 Domain Accounts
enterprise T1078.003 Local Accounts
enterprise T1078.004 Cloud Accounts

References


  1. Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021. 

  2. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020. 

  3. Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021. 

  4. Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. 

  5. Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018. 

  6. Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. 

  7. Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021. 

  8. Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018. 

  9. Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016. 

  10. Payne, J. (2015, November 26). Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts. Retrieved February 1, 2016. 

  11. Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021. 

  12. Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. 

  13. Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. 

Back to top