Skip to content

DS0028 Logon Session

Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization1

Item Value
ID DS0028
Platforms Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers Cloud Control Plane, Host, Network
Version 1.1
Created 20 October 2021
Last Modified 07 December 2022

Data Components

Logon Session Creation

Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)

Domain ID Name
enterprise T1185 Browser Session Hijacking
enterprise T1538 Cloud Service Dashboard
enterprise T1213 Data from Information Repositories
enterprise T1213.001 Confluence
enterprise T1213.002 Sharepoint
enterprise T1213.003 Code Repositories
ics T0811 Data from Information Repositories
ics T0812 Default Credentials
enterprise T1114 Email Collection
enterprise T1114.002 Remote Email Collection
enterprise T1606 Forge Web Credentials
enterprise T1606.001 Web Cookies
enterprise T1606.002 SAML Tokens
ics T0823 Graphical User Interface
ics T0891 Hardcoded Credentials
enterprise T1556 Modify Authentication Process
enterprise T1556.001 Domain Controller Authentication
enterprise T1556.003 Pluggable Authentication Modules
enterprise T1556.006 Multi-Factor Authentication
enterprise T1556.007 Hybrid Identity
enterprise T1621 Multi-Factor Authentication Request Generation
enterprise T1563 Remote Service Session Hijacking
enterprise T1563.001 SSH Hijacking
enterprise T1563.002 RDP Hijacking
enterprise T1021 Remote Services
enterprise T1021.001 Remote Desktop Protocol
enterprise T1021.002 SMB/Windows Admin Shares
enterprise T1021.004 SSH
enterprise T1021.005 VNC
enterprise T1021.006 Windows Remote Management
enterprise T1021.007 Cloud Services
ics T0886 Remote Services
enterprise T1649 Steal or Forge Authentication Certificates
enterprise T1199 Trusted Relationship
enterprise T1550 Use Alternate Authentication Material
enterprise T1550.002 Pass the Hash
enterprise T1550.003 Pass the Ticket
enterprise T1078 Valid Accounts
enterprise T1078.001 Default Accounts
enterprise T1078.002 Domain Accounts
enterprise T1078.003 Local Accounts
enterprise T1078.004 Cloud Accounts
ics T0859 Valid Accounts
ics T0860 Wireless Compromise

Logon Session Metadata

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

Domain ID Name
enterprise T1133 External Remote Services
ics T0822 External Remote Services
enterprise T1606 Forge Web Credentials
enterprise T1606.002 SAML Tokens
ics T0883 Internet Accessible Device
enterprise T1621 Multi-Factor Authentication Request Generation
enterprise T1558 Steal or Forge Kerberos Tickets
enterprise T1558.001 Golden Ticket
enterprise T1558.002 Silver Ticket
enterprise T1199 Trusted Relationship
enterprise T1078 Valid Accounts
enterprise T1078.002 Domain Accounts
enterprise T1078.003 Local Accounts
enterprise T1078.004 Cloud Accounts
ics T0859 Valid Accounts

References

  1. Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021. 

  2. Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018. 

  3. Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. 

  4. Dr. Nestori Syynimaa. (2022, September 20). Exploiting Azure AD PTA vulnerabilities: Creating backdoor and harvesting credentials. Retrieved September 28, 2022. 

  5. Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016. 

  6. Payne, J. (2015, November 26). Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts. Retrieved February 1, 2016. 

  7. Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. 

  8. Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018. 

  9. Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. 

  10. Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021. 

  11. Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021. 

  12. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020. 

  13. Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021. 

  14. Microsoft. (2022, August 26). Protecting Microsoft 365 from on-premises attacks. Retrieved February 21, 2023. 

  15. Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. 

  16. Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.