Skip to main content
 
 
 
Splunk Lantern

Remote logons to a host

 

Administrators use tools such as PsExec to connect remotely to network machines to carry out administrative tasks. However, any tool used by a legitimate actor can also be used by a malicious one.

You want to create a search to review remote logons from your network administrators so that you can verify all such logons are legitimate, and not attackers trying to access your network. 

Data required 

System log data

Procedure

In addition, this sample search uses Microsoft Windows security logs. You can replace this source with any other system log data used in your organization.

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4672) Logon_Type=3 NOT user="*$" NOT user="ANONYMOUS LOGON" 
| stats  count BY dest src_ip dest_nt_domain user EventCode 
| sort count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=WinEventLog:Security 

Search only Windows security event logs.

(EventCode=4624 OR EventCode=4672) 

Search for either all successful logon attempts (event code 4624) or when someone with administrator level rights has logged on (event code 4672).

Logon_Type=3 

Search for a logon to a network device from somewhere else in the network.

NOT user="*$" 

Exclude computer logons from the search.

NOT user="ANONYMOUS LOGON" 

Exclude unauthenticated sessions from the search.

| stats  count BY dest src_ip dest_nt_domain user EventCode 

Return the results in a table with the columns shown, showing the total count for each combination of results.

| sort count

Sort the results from the smallest number of event counts to the largest.

Next steps

Using what you know about your network, examine the source-destination pairs for anything unusual. You can click on any row and select View events for more information about an unexpected pairing. If you are specifically concerned about PsExec activity, you can look in the Message field for information about whether PsExec was used.

Finally, you might be interested in other processes associated with the Recognizing improper use of system administration tools use case.