Privilege Escalation (TA0004)(external, opens in a new tab or window)
text code block:from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index | where event.category == "authentication" and event.action == "logged-in" and winlog.event_id == "4624" and event.outcome == "success" and winlog.logon.type in ("Network", "RemoteInteractive") and source.ip is not null and source.ip != "127.0.0.1" and not to_string(source.ip) like "*::*" and not user.name like "*$" | stats logon_count = COUNT(*) by user.name, source.ip | stats Esql.max_logon = MAX(logon_count), Esql.min_logon = MIN(logon_count), Esql.source_ip_values = VALUES(source.ip), Esql.count_distinct = COUNT_DISTINCT(source.ip) by user.name // high count of logons is often associated with service account tied to a specific source.ip, if observed in use from a new source.ip it's suspicious | where Esql.max_logon >= 1000 and (Esql.min_logon >= 1 and Esql.min_logon <= 5) and Esql.count_distinct == 2 | eval source.ip = mv_first(Esql.source_ip_values) | KEEP user.name, source.ip, Esql.*
Install detection rules in Elastic Security
Detect Potential Account Takeover - Logon from New Source IP in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).