title: Interactive Logon to Server Systems
author: Florian Roth
date: 2017/03/17
description: Detects interactive console logons to Server Systems
detection:
    SELECTION_1:
        EventID: 528
    SELECTION_2:
        EventID: 529
    SELECTION_3:
        EventID: 4624
    SELECTION_4:
        EventID: 4625
    SELECTION_5:
        LogonType: 2
    SELECTION_6:
        ComputerName: '%ServerSystems%'
    SELECTION_7:
        ComputerName: '%DomainControllers%'
    SELECTION_8:
        LogonProcessName: Advapi
    SELECTION_9:
        ComputerName: '%Workstations%'
    condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5
        and (SELECTION_6 or SELECTION_7)) and  not (SELECTION_8 and SELECTION_9))
falsepositives:
- Administrative activity via KVM or ILO board
id: 3ff152b2-1388-4984-9cd9-a323323fdadf
level: medium
logsource:
    product: windows
    service: security
tags:
- attack.lateral_movement
- attack.t1078
yml_filename: win_susp_interactive_logons.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin