Remote logons to a host
Administrators use tools such as PsExec to connect remotely to network machines to carry out administrative tasks. However, any tool used by a legitimate actor can also be used by a malicious one.
You want to create a search to review remote logons from your network administrators so that you can verify all such logons are legitimate, and not attackers trying to access your network.
Data required
Procedure
In addition, this sample search uses Microsoft Windows security logs. You can replace this source with any other system log data used in your organization.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4672) Logon_Type=3 NOT user="*$" NOT user="ANONYMOUS LOGON" | stats count BY dest src_ip dest_nt_domain user EventCode | sort count
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype=WinEventLog:Security |
Search only Windows security event logs. |
(EventCode=4624 OR EventCode=4672) |
Search for either all successful logon attempts (event code 4624) or when someone with administrator level rights has logged on (event code 4672). |
Logon_Type=3 |
Search for a logon to a network device from somewhere else in the network. |
NOT user="*$" |
Exclude computer logons from the search. |
NOT user="ANONYMOUS LOGON" |
Exclude unauthenticated sessions from the search. |
| stats count BY dest src_ip dest_nt_domain user EventCode |
Return the results in a table with the columns shown, showing the total count for each combination of results. |
| sort count |
Sort the results from the smallest number of event counts to the largest. |
Next steps
Using what you know about your network, examine the source-destination pairs for anything unusual. You can click on any row and select View events for more information about an unexpected pairing. If you are specifically concerned about PsExec activity, you can look in the Message field for information about whether PsExec was used.
Finally, you might be interested in other processes associated with the Recognizing improper use of system administration tools use case.