@jsecurity101 is next @SANSDefense ! Once upon a Login! Understanding logon sessions to add more context to your detection strategy ππ₯ 
The logon process structure and some of the logon context switch that we need to understand during investigations ππΉ A Logon Session centric data approach ! Save time! Accurate!
Allows us to add more context to alerts exposed by vendors. Available telemetry! Sysmon exposes LogonGuid value too (good to understand how it is generated) ! MDE has 48+ actions with LogonId data πΉ
LogonSuccess, ProcessCreated, LDAP, and more via MDE. There are also limitations in relation to Newacredential events π€
How is the research practical? MDE Alert (creds dump) -> correlate LogonId -> OpenProcessApiCall
Example #2 - Privilege Escalation. someone logged on via RDP -> created scheduled task -> Injection
Example #3 - Lateral Movement - How do we know where it came from? SuccesfulLogon -> Correlate with DeviceNetworkEvents. It is challenging with DeviceNetworkEvents table because of the lack of LogonId data.
Basic approach to identify potential lateral movement leveraging LogonType 3 context on new processes being created. Also, a script to automate some of the investigation via SENSE IR scripts.
Thank you @jsecurity101 for sharing your research with the Infosec community! A few recommended free resources π
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
γ
