Privilege Escalation (TA0004)(external, opens in a new tab or window)
text code block:from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index | WHERE event.category == "authentication" and event.action == "logged-in" and winlog.event_id == "4624" and event.outcome == "success" and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and to_lower(user.name) != "administrator" | STATS logon_count = COUNT(*) by user.name, winlog.logon.type | STATS Esql.max_logon = MAX(logon_count), Esql.min_logon = MIN(logon_count), Esql.logon_type_values = VALUES(winlog.logon.type), Esql.count_distinct_logon_types = COUNT_DISTINCT(winlog.logon.type) by user.name // high count of logons is often associated with service account tied to a specific service, if observed in use with a different logon type it's suspicious | WHERE Esql.count_distinct_logon_types >= 2 and Esql.max_logon >= 1000 and (Esql.min_logon >= 1 and Esql.min_logon <= 10) | EVAL winlog.logon.type = MV_FIRST(Esql.logon_type_values) | KEEP user.name, winlog.logon.type, Esql.*
Install detection rules in Elastic Security
Detect Potential Account Takeover - Mixed Logon Types in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).