@jsecurity101 is next @SANSDefense ! Once upon a Login! Understanding logon sessions to add more context to your detection strategy 🎉🔥

The logon process structure and some of the logon context switch that we need to understand during investigations 🚀🏹 A Logon Session centric data approach ! Save time! Accurate!

Allows us to add more context to alerts exposed by vendors. Available telemetry! Sysmon exposes LogonGuid value too (good to understand how it is generated) ! MDE has 48+ actions with LogonId data 🏹

LogonSuccess, ProcessCreated, LDAP, and more via MDE. There are also limitations in relation to Newacredential events 🤔

How is the research practical? MDE Alert (creds dump) -> correlate LogonId -> OpenProcessApiCall

Example #2 - Privilege Escalation. someone logged on via RDP -> created scheduled task -> Injection

Example #3 - Lateral Movement - How do we know where it came from? SuccesfulLogon -> Correlate with DeviceNetworkEvents. It is challenging with DeviceNetworkEvents table because of the lack of LogonId data.

Basic approach to identify potential lateral movement leveraging LogonType 3 context on new processes being created. Also, a script to automate some of the investigation via SENSE IR scripts.

Thank you @jsecurity101 for sharing your research with the Infosec community! A few recommended free resources 🎉