Skip to content

T1033 IdentifySuccessfulLogons

T1033 - Identify successful logons to the host

DESCRIPTION

The actor gathered information about successful logons to the host using a PowerShell command.

Example:

Get-EventLog security -instanceid 4624

Related

Volt Typhoon activity

Reference

https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection
https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

ATT&CK TACTICS

T1033 - System Owner/User Discovery

Data source - Command

SENTINEL RULE QUERY

1
2
let c1 = dynamic(["Get-EventLog", "4624"]);
find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1)

Triage

  1. Inspect which account and at what time the activity was performed
  2. Question the user if the activity was expected and approved

Version

Version 1.0 (date 5/7/2023)