Skip to main content
Splunk Lantern

Remote logons to a host

Administrators use tools such as PsExec to connect remotely to network machines to carry out administrative tasks. However, any tool used by a legitimate actor can also be used by a malicious one. You might want to monitor remote logons for help with the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You want to create a search to review remote logons from your network administrators so that you can verify all such logons are legitimate, and not attackers trying to access your network. 

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Windows security logs. You can replace this source with any other system log data used in your organization.

  1. Run the following search:
sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4672) Logon_Type=3 NOT user="*$" NOT user="ANONYMOUS LOGON" 
| stats  count BY dest src_ip dest_nt_domain user EventCode 
| sort count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=WinEventLog:Security 

Search only Windows security event logs.

(EventCode=4624 OR EventCode=4672) 

Search for either all successful logon attempts (event code 4624) or when someone with administrator level rights has logged on (event code 4672).

Logon_Type=3 

Search for a logon to a network device from somewhere else in the network.

NOT user="*$" 

Exclude computer logons from the search.

NOT user="ANONYMOUS LOGON" 

Exclude unauthenticated sessions from the search.

| stats  count BY dest src_ip dest_nt_domain user EventCode 

Return the results in a table with the columns shown, showing the total count for each combination of results.

| sort count

Sort the results from the smallest number of event counts to the largest.

Result

Using what you know about your network, examine the source-destination pairs for anything unusual. You can click on any row and select View events for more information about an unexpected pairing. If you are specifically concerned about PsExec activity, you can look in the Message field for information about whether PsExec was used.

  • Was this article helpful?