Logon Session

Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorizaton^[1]

ID: DS0028

ⓘ

Platforms: Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS

ⓘ

Collection Layers: Cloud Control Plane, Host, Network

Contributors: Center for Threat-Informed Defense (CTID)

Version: 1.0

Created: 20 October 2021

Last Modified: 10 November 2021

Data Components

Logon Session: Logon Session Creation

Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)

Logon Session: Logon Session Creation

Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp)

Domain	ID		Name
Enterprise	T1185		Browser Session Hijacking
Enterprise	T1538		Cloud Service Dashboard
Enterprise	T1213		Data from Information Repositories
		.001	Confluence
		.002	Sharepoint
		.003	Code Repositories
Enterprise	T1114		Email Collection
		.002	Remote Email Collection
Enterprise	T1606		Forge Web Credentials
		.001	Web Cookies
		.002	SAML Tokens
Enterprise	T1556		Modify Authentication Process
		.001	Domain Controller Authentication
		.003	Pluggable Authentication Modules
Enterprise	T1563		Remote Service Session Hijacking
		.001	SSH Hijacking
		.002	RDP Hijacking
Enterprise	T1021		Remote Services
		.001	Remote Desktop Protocol
		.002	SMB/Windows Admin Shares
		.004	SSH
		.005	VNC
		.006	Windows Remote Management
Enterprise	T1199		Trusted Relationship
Enterprise	T1550		Use Alternate Authentication Material
		.002	Pass the Hash
		.003	Pass the Ticket
Enterprise	T1078		Valid Accounts
		.001	Default Accounts
		.002	Domain Accounts
		.003	Local Accounts
		.004	Cloud Accounts

Logon Session: Logon Session Metadata

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

Logon Session: Logon Session Metadata

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

Domain	ID		Name
Enterprise	T1133		External Remote Services
Enterprise	T1558		Steal or Forge Kerberos Tickets
		.001	Golden Ticket
		.002	Silver Ticket
Enterprise	T1199		Trusted Relationship
Enterprise	T1078		Valid Accounts
		.002	Domain Accounts
		.003	Local Accounts
		.004	Cloud Accounts

References

Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.