Elastic Detection Rule - Network Login via Built-In Account (via audit)

edr-networkloginbuiltin.ndjson

{"author":["Austin Songer"],"actions":[],"created_at":"2021-02-06T21:31:44.315Z","updated_at":"2021-02-06T21:32:23.413Z","created_by":"667492525","description":"Detects network (type 3) logins and login attempts with built-in/default accounts (guest, admin, etc)\"","enabled":true,"false_positives":[],"filters":[],"from":"now-660s","id":"4fb662af-518c-4358-a74a-4f183054c046","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","winlogbeat-*"],"interval":"10m","rule_id":"c49ad3c1-0bdc-4cd1-8a6d-2035fe80b637","language":"kuery","license":"","output_index":".siem-signals-default","max_signals":100,"risk_score":47,"risk_score_mapping":[],"name":"Network Login via Built-In Account (via audit)","query":"(log_name:(\\\"Security\\\") AND event_id:(\\\"4624\\\" \\\"4625\\\")) AND ( (event_data.LogonType:(\\\"3\\\") AND event_data.TargetUserSid.keyword:(*\\\\-500 *\\\\-501 *\\\\-503 *\\\\-504)) ) AND NOT ( (computer_name:(\\\"WORKSTATION-NAME\\\") AND \\\"USER-NAME\\\") )","references":["https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems"],"meta":{"from":"1m","kibana_siem_app_url":""},"severity":"medium","severity_mapping":[],"updated_by":"667492525","tags":["Windows","Defense Evasion","Persistence","Privilege Escalation","Initial Access","T1078"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0005","reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion"},"technique":[{"id":"T1078","name":"Valid Accounts","reference":"https://attack.mitre.org/techniques/T1078"}]}],"throttle":"no_actions","version":2,"exceptions_list":[{"id":"cbaa93b0-68c2-11eb-8178-9fdd5f747583","list_id":"8d33265e-c04b-4f02-b306-559ee888a8d3","type":"detection","namespace_type":"single"}]}
{"exported_count":1,"missing_rules":[],"missing_rules_count":0}