title: Interactive Logon to Server Systems
author: Florian Roth
date: 2017/03/17
description: Detects interactive console logons to Server Systems
detection:
  SELECTION_1:
    EventID: 528
  SELECTION_2:
    EventID: 529
  SELECTION_3:
    EventID: 4624
  SELECTION_4:
    EventID: 4625
  SELECTION_5:
    LogonType: 2
  SELECTION_6:
    ComputerName:
    - '%ServerSystems%'
    - '%DomainControllers%'
  SELECTION_7:
    LogonProcessName: Advapi
  SELECTION_8:
    ComputerName: '%Workstations%'
  condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5
    and SELECTION_6) and  not (SELECTION_7 and SELECTION_8))
falsepositives:
- Administrative activity via KVM or ILO board
id: 3ff152b2-1388-4984-9cd9-a323323fdadf
level: medium
logsource:
  product: windows
  service: security
status: experimental
tags:
- attack.lateral_movement
- attack.t1078
ruletype: SIGMA